Author: Daniel Petravicius, Senior Assistant Company Secretary, BoardRoom Australia
“The corporate regulator will seek to make an example of board directors and executives who are recklessly ill-prepared for cyberattacks, by taking legal action against compromised companies that did not take sufficient steps to protect their customers and infrastructure from hackers.”
Key take outs:
- ASIC has urged companies to focus their efforts on both the security of their systems and processes as well as on planning their response to a cyber incident.
- Over-reliance on the security measures of third party providers is an area of particular concern and must be addressed as a priority.
- ASIC considers it a directors’ duty to ensure ‘good cyber risk management’ is in place, otherwise they run the risk of failing to adhere to their duty to act with care and diligence and are exposing themselves to the (potential) risk of enforcement action by ASIC.
During his Australian Securities and Investments Commission (ASIC) address to the Australian Financial Review’s (AFR) Cyber Summit on 18 September 2023, ASIC Chair Joe Longo has expressed the increasing importance of cyber-preparedness and ASIC’s expectations of companies, their executives and directors in this context.
This should come as no surprise after ASIC declared cyber security a top priority of theirs in 2022, advising they will be cracking down on companies, Chief Executive Officers (CEOs) and directors regarding cyber security compliance and preparedness.
The seriousness of ASIC’s intentions was evident in the 2022 court ruling in the case of RI Advice Group Pty Ltd (RI Advice), where ASIC successfully argued that RI Advice was woefully ill-prepared for cyber-attacks and failed to comply with their financial service license obligations by failing to act efficiently or fairly by not having in place adequate risk management systems in relation to cyber security. That prosecution resulted in a $750,000 contribution towards ASIC’s legal costs, and a court order to take remediation steps to put in place proper cyber security measures and reporting structures – plus the significant damage (including reputational damage) that flowed from the cyber security attacks themselves.
In addition to brand and reputational damage, companies face potential fines and prosecution for non-compliance. The main legal avenue placing directors and officers at risk from cyber incidents is section 180 of the Corporations Act 2001 (Cth) (Corporations Act), which requires directors to exercise care and skill to defend the business from key risks.
Companies, their respective directors and officers should heed the lessons from the RI Advice case and Mr Longo’s comments at the AFR Cyber Summit, and ensure that they have robust systems and controls in place to manage cyber security risks. Only by doing so can they minimise the risk of contravening their regulatory obligations, incurring significant fines and facing possible prosecution.
Why is ASIC doubling down on Cyber Security?
Cyber resilience is a company’s capacity to prepare for, respond to, and recover from, cyber security events. Cyber resilience is vital to all companies operating in the digital economy, especially for those within sectors like the financial services and medical sectors, where the trust between a company and its customers is essential to their future viability.
ASIC’s December 2021 resilience report stated that companies within Australia had fallen well short of the 14.9% cyber resilience improvement target with only a slight improvement of 1.4%. In addition, the Australian Cyber Security Centre (ACSC) identified that cybercrime reports across Australia had increased by 13%.
ASIC states that managing cyber security risks fall within the realm of general directors’ duties. Companies must warrant that they have taken all reasonable steps to ensure that the people, processes and technologies they employ to protect the security of their information are fit for purpose.
The ACSC states:
“It is critical that Australian organisations are alert to [cyber] threats and take steps to adopt an enhanced cyber security posture and increase monitoring for threats. These actions will help reduce the impacts to Australian organisations of cyber-attacks.”
Last month the Office of the Australian Information Commissioner released statistics showing there were 409 data breaches between January and June 2023 alone, and the Australian Bureau of Statistics (ABS) has said at least 20% of Australian businesses were breached by hackers in FY2022 (this is approximately 518,000 businesses based on the ABS’s businesses data as at 30 June 2023).
What does this mean for CEOs and Directors?
Mr Longo emphasised the key role ASIC considers directors must play in this context, underlining that ASIC considers ensuring ‘good cyber risk management’ is in place, forms part of directors’ duty to act with care and diligence.
Mr Longo commented:
“Good cyber risk management must start at the top. It’s only by starting there, with good governance and a comprehensive risk assessment, that we can successfully set the right tone… Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could mean failing to meet your regulatory obligations”.
Mr Longo also cautioned that directors who fail to prioritise cyber are exposing themselves to the (potential) risk of enforcement action by ASIC:
“For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”.
These comments emphasize the importance of prioritizing cyber security at the highest level to ensure regulatory compliance and the fulfilment of directors’ fiduciary responsibilities. To avoid claims and contraventions of the Corporations Act, directors need to ensure their companies have implemented and tested appropriate controls, mechanisms and systems to prevent and respond to cyber incidents.
This means that CEOs and directors need to be proactive in ensuring that their company has appropriate measures to protect it from cyber threats, including from third party providers. This includes developing and implementing policies and procedures around data security, continually educating employees on best practices, regularly reviewing the cyber security arrangements and level of vulnerable information from third party providers and having an effective incident response plan in place in the event of a breach.
What steps can CEOs and Directors take to ensure they meet ASIC’s Cyber Security expectations?
There are a number of steps that CEOs and directors can take to ensure compliance with ASIC cyber security expectations and protect their companies. Firstly, they should ensure that they have a clear understanding of the requirements. Secondly, they should put in place appropriate systems and controls to mitigate the risks associated with cyber security (including risk incurred through third-party providers). Thirdly, they should put in place a comprehensive incident response plan and regularly test that plan. Finally, they should regularly review their cyber security arrangements to ensure they are effective as well as the security arrangements of their third party providers.
Mr Longo commented that the cyber security arrangements will be subjective to each individual company, saying that:
“Measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification. ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain”.
In considering these matters, directors should also determine whether specific cybersecurity expertise is required internally at the operational level as well as at a board level due to the increasing focus on the cyber maturity of boards. As cyber risks continue to escalate, director awareness and education must be a priority for companies moving forward. Given regulatory changes, regulator enforcement and the courts beginning to look at cyber risk in a new light, directors are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.
However, for some companies, the cost to internally hire experienced and certified cyber security specialists and obtain the appropriate tools and training to review and comply with data protection laws can be cost-prohibitive. Companies who engage with external dedicated cyber security providers (not IT providers) may realise significant returns on their investment, with broader team knowledge, experience and reporting.
Whether tackled internally or externally, companies can minimise the risks associated with cyber security and ensure regulatory compliance by working collaboratively towards enhancing the company’s cyber security maturity through a recognised cyber security framework.
Directors can no longer take their cyber security responsibilities lightly. Without appropriate cyber security controls and mechanisms firmly in place, the occurrence of a cyber incident and potential long-term damage to a company’s business can expose directors to personal legal liability.
There is no silver bullet; however, with the right systems and controls in place, companies can minimise the risks associated with cyber security. By viewing cyber security as a whole of business risk, companies can exceed relevant regulatory compliance whilst protecting their brand, reputation and trust with their customers.