Director responsibilities for cyber security

This article was current at the time of publication.

Cyber governance and cyber risk need to be top-of-mind concerns for directors across all business sectors in wake of security breaches such as Optus and Medibank. 

According to PwC Australia, data breaches cost Australian businesses around $29 billion a year, with government statistics showing that in the last six months of 2021 alone there were 464 notifiable breaches.

The Notifiable Data Breaches scheme commenced as part of the Privacy Act 1988 on 22 February 2018. Penalties for failing to report a breach range from $444,000 for individuals and up to $2.2 million for companies.

Under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 currently before the Commonwealth Parliament, this will increase to a civil penalty of $2.5 million for a person and for bodies corporate a maximum penalty not exceeding the greater of $50 million. 

According to Patrick Fair, a commercial lawyer with expertise in data governance and Adjunct Professor, School of Information Technology, Faculty of Science, Engineering and Built Environment at Deakin University, this equates to three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy, or – if the value cannot be determined – 30 per cent of adjusted turnover in the relevant period.

With the government having recently introduced significant reforms to the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, the onus is on 12 sectors from communications to transport to be aware of their obligations to oversee and manage security threats that must be reported within 12 to 72 hours.

For accountants who work with companies in these sectors and small-to-medium enterprises (SMEs), checking in with directors about their vulnerability is an important new part of doing business.

“Under Section 180 of the Corporations Act 2001, a director must act with reasonable care and diligence,” says Alan Arnott, Managing Partner of Sydney-based Arnotts Technology Lawyers.

“A director who fails to do so may be ordered by a court to pay up to $200,000 in penalties.

“That hasn’t happened yet in relation to cyber security, but there is no reason it couldn’t be applied.”

Compliance versus punitive action

Fair says the predominant focus of the Department of Home Affairs in enforcing the security of critical infrastructure amendments is encouraging compliance rather than imposing penalties for reported breaches.

“The government is taking a soft line trying to get all businesses to comply with new cyber security rules for critical infrastructure, but the department has said it is going to allow time for industry to come into compliance,” he says.

“For SMEs, regulatory proposals include cyber health checks for small business, security labelling and improving vulnerability disclosure policies.”

In a first, in May this year, the Federal Court of Australia found that an Australian financial services licensee, RI Advice, breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks and fined the company $750,000.

“The facts of the case are instructive because RI Advice knew it had a problem but appears to have been slow to respond with appropriate remedial steps,” Fair explains.

As well as a corporation facing penalties under the Privacy Act and/or for a cyber incident because a director fails to exercise due care and diligence, in breach of Section 180 of the Corporations Act, there can be significant other consequences. 

“In extreme cases, there is potential for directors of businesses that experience a data breach to be sued by shareholders for a decline in the value of the company,” Fair warns.

He also notes that the Privacy Act has a class action provision and provides an administrative mechanism for compensation to be paid to victims of cyber security breaches.

“Increasing exposure of the company to regulatory action also increases the chance that directors will be held responsible.”

The time to ensure consideration of cyber risk for clients is now. 

Preventive action and a data breach plan are key

The Australian Institute of Company Directors (AICD) has cited lifting cyber resilience across the economy as one of its main priorities in the 2023 financial year.

It has called for a coordinated policy approach that supports a board’s risk oversight and promotes a partnership between the government and the private sector.

Lifting cyber resilience across the economy is a national security, economic and legislative challenge and one that is “keeping directors awake at night”, the AICD maintains.

To support directors, it has partnered with the Cyber Security Cooperative Research Centre to develop new cyber security governance principles.

Specific guidance for directors of SMEs and not-for-profits is included.

While directors don’t necessarily need to know how the technology works, they should be aware of the level of protection needed and have a backup plan in the event of an incident, Fair says.

“Listening to clients who highlight a weakness, or vulnerability in the system, and acting on it could also save businesses a fortune,” he adds.

From a director’s viewpoint, Arnott says some very basic actions should be ticked off.

“The most important is ensuring the technology ecosystem that the company operates in is secure, although nothing is ever 100 per cent unbreachable.

“That means engaging suitable cyber security consultants to provide advice, which is then implemented.”

Because cyber risks can arise from a company’s network of partners, suppliers and vendors, an effective cyber risk strategy must include improving the cyber resilience of different industries and sectors, the AICD emphasises.

Obtaining insurance – for the company and its directors and officers – is also vital.

Finally, in addition to engaging their accountant, directors need to have a data response plan in place and in the event of a cyber breach and a lawyer on hand to advise on their immediate legal obligations.