_{Co-authored by Olivia Camilleri}

Australian company directors are facing an increase in responsibilities as we transition further into the digital economy.

While developments in innovation and technological advances offer businesses lucrative opportunities to scale and thrive, the shift in the digital landscape has imposed additional obligations on company directors. Company directors are now responsible for managing cyber security and risk, and securing the increasing volume of confidential information collected from consumers online.

The Australian Government and regulators are currently reviewing the scope of directors’ duties concerning digital security, privacy and consumer matters. We expect directors’ duties to expand.

Cyber security, privacy and data protection is more critical than ever before. Directors must take steps to assess the risks relating to a breach of digital security, ensure measures are in place to protect it and incorporate ongoing cyber security assessment and management into the corporate governance framework.

So, what’s the bottom line for directors and cyber security?

Your enterprise management must include regular and ongoing consideration of cyber security. This includes risk-assessment and investment in the development and implementation of a resilient digital strategy:

• Addressing cyber security and managing risk is a directors’ duty.
• A failure to take action could result in directors being held personally liable for a breach of directors’ duties through civil litigation with consumers or failing to comply with current (and new) legislation. Consumers in the United States are taking civil actions against directors for alleged failure to take adequate steps to protect their confidential information. These civil actions are outside the scope of the liability caps consumer contracts may otherwise seek to impose.
• Directors of listed companies must consider cyber breaches (and risks) in any prospectus issue and as part of their periodic and continuous disclosure obligations.
• The Australian Securities and Investments Commission (ASIC) has indicated its willingness to prosecute companies that fail to implement cyber security measures. In RI Advice Group Pty Ltd, ASIC alleged that RI Advice Group failed to implement adequate policies, systems and resources which were reasonably appropriate to manage risk related to cyber security and cyber resilience. This action doesn’t directly involve directors but is an indication that ASIC is taking cyber breaches seriously. On 5 May 2022, the Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. The decision confirmed that management of cyber security risk and cyber resilience is critical. Australian corporations should review their cyber security measures regularly and follow advice of the Australian Cyber Security Centre.
• In 2015, ASIC confirmed cyber security falls within directors’ duties and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review. Read the ‘Cyber resilience: Health check’ report.
• A mandatory review of directors’ duties is included in Australia’s Cyber Security Strategy 2020 (the Strategy). Item 36 of the Strategy forewarns legislative changes prescribing a minimum cyber security baseline across the economy, including:
  • Privacy
  • Consumer and data protection laws
  • Duties for company directors.

• In recent years, the Australian Government has developed the 2023-2030 Australian Cyber Security Strategy which seeks to:
  • Increase cyber protection in Australia
  • Ensure government systems have a robust cyber-secure infrastructure
  • Develop independent strategies to manage cyber threats and attacks
  • Enhance Australia’s international efforts
  • Provide further education and training to equip cyber workforces with the necessary skills to combat cyberattacks.

The Minister of Home Affairs, Hon Clare O’Neil, has appointed an Expert Advisory Board to oversee and ensure the objectives of the strategy are being met.

• Significantly, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) was enacted as an amendment to the Security of Critical Infrastructure Act 2018  in accordance with the Security Legislation Amendment (Critical Infrastructure) Bill 2021.  The SLACIP Act introduced an obligation on entities to establish a risk management program to enhance the security of critical infrastructure within entities internal operations. In addition, the amendment imposes a stricter enforcement of measures to protect systems of national significance by obliging operators to enhance security measures.

Directors’ duties and cyber security – where to start

Now is the time to take action and invest in resources to protect the digital integrity of the company. Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Here’s a general overview of what to do:

Include cyber security within the broader enterprise risk assessment protocol

• Identify, assess and document
• Address foreseeable risks immediately
• Isolate critical company assets, implement cyber security resilience protection and ensure regular testing and reporting
• Engage a cyber security expert who can provide ongoing education and best practice advice to directors or the board
• Introduce cyber security updates at every board meeting, including any emerging risks

Request and oversee the enterprise

Invest in strengthening security, software and hardware fundamentals

• A policy of strong and regular password changes
• Enforce multi-factor authentication
• Ensure operating systems and software is genuine and up to date
• Use only the tools you need to reduce risk
• Prioritise best-of-suite tools to optimise your risk coverage

Invest in a cyber security team

• Develop a cyber security protocol including a breach response plan that includes directors, customers, stakeholders and staff
• Invest in training and skills development for IT professionals and any other employees involved in cyber security risk management and monitoring
• Create a program for regular checks and updates
• Report all cyber incidents via the protocol regardless of severity or perceived significance

The key takeaway

Directors are responsible for creating and maintaining cyber resilient enterprises, and failing to do so brings the hefty whack of potential personal liability.

To discuss how best to meet your cyber security obligations as a company director, please contact Coleman Greig’s Commercial Advice team.