Cybersecurity for directors: fail to prepare, prepare to fail

By Eden Winokur and Matthew Hinde

With the threat of cyberattacks looming larger than ever, cyber security is now one of the greatest concerns for corporates in Australia and globally. Directors and officers of corporations are expected to play a proactive role in protecting their companies from cyber risks.

The threat

According to IBM, the average cost of a data breach is estimated to be around $4 million in Australia, making it imperative for directors to understand the risks associated with cyberattacks.^[1] Of course, these figures are impacted by some significant breaches to large organisations, but the key point is that data breaches can cause a significant impact on businesses of all sizes. This includes not just financial losses, but reputational harm and regulatory consequences that can follow.

Your obligations

Among other duties, a director bears the duty of care and diligence, as outlined in section 180 of the Corporations Act. In the context of cyber security, this duty necessitates that directors take reasonable steps to address foreseeable risks, taking into account the nature and extent of cyber risks that affect the corporation. Directors must establish and adhere to appropriate cyber security standards, which can be achieved through the implementation of cyber risk management policies.

Judicial expectations of what a reasonable director might do to oversee the management of cyber risks are likely to increase. At present, there has been some guidance from Justice Rofe who opined that ‘it is not possible to reduce cybersecurity risk to zero… [but] it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls’.^[2] Directors need to be 'cyber-literate' and understand how cyber security relates to their company's business. 'The days are long gone where directors of any company... can say, “Well, I don’t really understand that technology, I don’t really understand how data works’’.’ – ASIC chairman Joe Longo.

Cyber incidents also require an in-depth understanding of the regulatory landscape that impacts a corporation. Depending on the nature of the corporation and type of cyber incident, notification obligations may be triggered in relation to various regulatory bodies, and knowledge of the different triggers and timing requirements is paramount.

ASIC actively targeting directors

Due to the increase in cyber security attacks impacting a significant portion of the Australian population, ASIC has shifted its stance from an educator to an activist enforcer. ASIC's chairman recently emphasised at the Australian Financial Review Cyber Summit that 'for all boards, cyber resilience has to be a top priority'. ASIC is actively 'looking for the right case where company directors and boards failed to take reasonable steps or make reasonable investments proportionate to the risks that their business poses'. 'ASIC will commence proceedings if it has reason to believe those steps were not taken’. Based on these comments, it appears to be a question of when, not if.

While ASIC has only taken court action for cyber security defects once before, against financial services firm RI Advice Group (RI) (where RI was ultimately ordered to pay $750,000), the Office of the Australian Information Commissioner (OAIC) has open investigations into cyberattacks on Latitude, Medibank, and Optus, which may pave the way for ASIC to take legal action, in addition to likely class action lawsuits. The OAIC has also commenced Federal Court proceedings against Australian Clinical Labs Limited for failing to protect personal information and not complying with the notifiable data breaches scheme in the Privacy Act 1988 (Cth).

ASIC cyber pulse survey results

ASIC recently released Report 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023 which exposed several deficiencies in corporate Australia’s cyber capabilities – paving the way for increased regulatory action. The following key results stand out from participants of the survey:

1. 33% do not have a cyber incident response plan;
2. 44% do not manage third-party or supply chain risk;
3. 58% have limited or no capability to protect confidential information adequately; and
4. 20% have not adopted a cyber security standard.

Key questions for directors

In assessing risk and developing or improving cybersecurity plans, directors should consider the following critical questions:

1. Are cyber incident response plans in place? Have they been tested?
2. Are cyber risks integrated into your organisation's risk management framework?
3. Are cybersecurity activities properly resourced?
4. Does your board require additional expertise and/or training to understand cyber risk?
5. Does your organisation have a strong cybersecurity culture?
6. How are your employees made aware of cybersecurity?
7. How are cyber risks monitored and what escalation triggers are adopted?
8. How frequently is your cyber risk mitigation strategy reviewed at board level?
9. How is cyber risk monitored at board level?
10. What are the cyber threats specific to your organisation's business?
11. What measures protect critical information assets from cyberattacks?

Cyber risk mitigation strategies

While no set of mitigation strategies can guarantee protection against all cyber threats, we recommend directors take the following steps to reduce the threat of cyber risk:

1. Adopt the ACSC’s Essential Eight mitigation strategies as a minimum, which includes the following:
   • Application control.
   • Patch applications.
   • Configure Microsoft Office macro settings.
   • User application hardening.
   • Restrict administrative privileges.
   • Patch operating systems.
   • Multi-factor authentication.
   • Regular backups.
2. When using third-party suppliers, vendors, and managed service providers for software and critical data services, ensure the following:
   • never adopt a ‘set and forget’ approach – actively manage supply chain and vendor risks. Simply signing a contract with a third-party supplier is insufficient.
   • plan and test for potential attacks. Ensure your board knows how to communicate with customers, regulators, and the market in case of an incident. Maintain a clear and comprehensive response and recovery plan that includes third-party suppliers and vendors.
   • identify what you are protecting. Nearly half of the respondents in the recent ASIC cyber pulse survey indicated they do not identify critical information and business-critical systems. If information is not identified before a cyberattack, it cannot be adequately protected.
3. Appoint a Chief Information Security Officer responsible for overseeing the protection of the organisation's data, digital infrastructure, and assets.
4. Consider adding a director with a cybersecurity background to your board or engaging an external adviser who can regularly report to your board to ensure effective oversight of management.
5. Consider obtaining cyber insurance to protect the organisation against expenses and legal costs associated with data breaches that may occur following a hack or theft of personal information.
6. Develop and regularly update a tailored cyber security risk management policy for your company.
7. Continuously reassess cybersecurity risks and policies (at least annually).
8. Ensure access to appropriate resources to effectively manage cybersecurity risks, whether through in-house capabilities or commercial arrangements.
9. Fulfill disclosure obligations by making timely and adequate disclosures of cyber incidents to the relevant regulatory bodies.
10. Inquire about incident response and business continuity plans to assess your organisation's preparedness to respond to cybersecurity incidents.