Cyber risk: Hypothetical or fundamental to discharging directors' duties?

Cyber risk: Hypothetical or fundamental to discharging directors' duties?

Lisa Fitzgerald, Partner in our Technology and Digital practice, recently contributed to a Cyber Risk Masterclass for Marsh. Here are some of the insights for boards and directors.

A question relevant to all directors is the extent to which accountability for cyber risk will stick to individual directors. This article considers why cyber risk is a direct concern of directors and the measures that can be taken to help protect against liability.

Directors, technology and cyber risk

Under the Corporations Act 2001 (Cth), directors are required to exercise their powers and perform their functions:

  • in good faith including acting in the best interests of the company;
  • with care and diligence; and
  • without using their position or information to gain personal advantage (ss 180, 183, 601FD).

These statutory duties derive from long-standing common law fiduciary duties and emanate from the core duty of due care and skill. However, despite their relative antiquity, these duties remain extremely relevant in the cyber age where every company uses or produces technology in order to operate. With this in mind, what sort of skill is required to manage cyber risk? Does it involve mastering a foreign language comprising AI, algorithms, data sets, data hygiene, data transfer, biometrics, behavioural data, the latest ransomware or dark web activities?

The short answer is, no, a Masters in Cybersecurity is not required. The better answer is to understand that because technology now underlies all business and has the potential to disable business, these duties inevitably extend to technology. Accordingly, assessing risks prior to enterprise-wide adoption of new technology is key, followed by continuous post-implementation monitoring. Importantly, they are risks that are served neither by reading a company's financial statements, nor by wholesale outsourcing of those technical parts of the business to the IT function, other delegates or advisors.

Moreover, what is generally permitted to compensate for a lack of cyber expertise at director level will turn on the nature of the business, its digital assets and technology-dependency. When speaking with one of the world's leading AI experts, John Collins of FTI Consulting, it was observed that understanding AI, for example, literally requires a PhD and there are only 10,000 people worldwide who hold that qualification. So, what do directors do?

A director is entitled to rely on one or more employees of the company, legal counsel, accountants or other professionals, or a separate committee of the board of which the director is not a member. However, this does not transfer the director's liability, nor can a director rely absolutely on the advice of employees or advisors. Nonetheless, seeking appropriate advice, tailored to the company, is the first step.

Another dimension of directors' duties is balancing reasonable foreseeability of harm against potential benefits to the company. It is a duty that does not require eliminating risk but actively managing it – this will generally require engagement with experts, regular reporting to the board and taking deliberate action in response to those reports. With every company now being a technology company, with data breaches impacting both consumer trust and market capitalisation, cyber-risk is not something you can "unsee".

The rising role of regulators and government intervention

A number of developments in Australia's regulatory scene also point to the need for cyber-vigilance.

  • The Australian Security and Investment Commission is becoming more active, having commenced an action in August 2020 against RI Advice Group where it is alleged that the company failed to implement adequate cybersecurity measures potentially in contravention of its financial services licence. This case represents the first cyber-related prosecution by our regulators.
  • The ASX has called out cyber security risk in its Corporate Governance Principles and Recommendations published in 2019.
  • The Australian government has released its Cyber Security Strategy 2020 in which further development of director duties relating to cyber risk is tabled (para 36).
  • The Australian government has also released an exposure draft bill imposing new positive security obligations on owners and operators of assets in new classes extending to communications, data storage and health sectors, as well as government powers requiring action to be taken in relation to "systems of national significance".
  • For APRA-regulated entities, there is CPS 234 relating to information security for which there is board level responsibility, which we have written about previously.

Cyber risk governance framework

The case for putting in place a strong cyber security governance program could not be clearer. Here are eight key factors with which we assist clients, that help discharge directors' duties and preserve those assets that allow businesses to operate and grow.

  1. First and foremost, understand the data you hold: classify it according to value, regulatory and contractual obligations, criticality to your "licence to operate". Then build a resilience framework that is graduated and reinforced for the most sensitive and critical data.
  2. Second, beware the click-through agreement for IT cloud services. Tempting though it is to be agile and to fail fast, there is a greater need for:
  • a risk-aware DNA that a traditional procurement function brings to technology procurement;
  • negotiation of the terms and conditions of third-party software suppliers, rather than accepting them as "off the shelf";
  • running the business case, which might include minimum security requirements as non-negotiables.
  1. If you are in the business of M&A, avoid the bolt-on approach that fails to include and prioritise a business integration plan.
  2. Cultivate a practice of completing Privacy Impact Assessments for all technology rollouts.
  3. Build an IT system that uses only what it needs. The less sensitive information a company holds, the less its exposure – so ensure there is a deletion functionality that observes data retention and privacy obligations.
  4. Require regular and effective reporting to the board and a rolling agenda item of "next steps".
  5. Implement and keep updated a data breach response plan.
  6. Take out cyber insurance and institute processes that satisfy policy requirements.

This type of governance framework will help strengthen your IT security posture, which in turn will help discharge the all-important directors' duties.

You can watch the full Cyber Risk Masterclass here.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.