Cybersecurity: practical tips for Boards in understanding their obligations
Following the high profile data breaches in 2022, the landmark case of Australian Securities and Investment Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v RI Advice), and the proposed reforms to the Privacy Act 1988 (Cth), [1] Boards of businesses of all shapes and sizes are asking questions about their obligations in relation to privacy and cybersecurity.
A director’s duty of care
Directors have a duty of care to the corporation that they’re an officer of to exercise their powers and duties with the care and diligence that a reasonable person would if they were in the same position, [2] taking into account the circumstances of the company and the director.
Breaches of this duty could result in fines for the director and declarations of the contravention by a court.
ASIC v RI Advice: what happened
ASIC brought proceedings against RI Advice for breaching its obligations as an Australian Financial Services (AFS) licensee, [3] for failing to have adequate cybersecurity risk management systems in place for itself and its financial advice practices acting as authorised representatives within its network (AR Practices). The AR Practices experienced nine cybersecurity incidents between June 2014 and May 2020 including phishing, ransomware, and hacking incidents.
RI Advice had implemented cybersecurity measures in response to these incidents between 2020 and 2021, however, it took too long to implement these measures and ensure they were in place. [4]
ASIC v RI Advice: takeaways
ASIC v RI Advice is relevant to all company directors (not only AFS licensees) as elements of this case are likely be used to assess the liability of a director in relation to their duty of care with respect to cybersecurity, regardless of whether the company itself has breached the law. [5] This, and recent guidance from ASIC, [6] indicate that courts and regulators will be taking the cybersecurity obligations of companies and directors seriously going forward.
Practical steps Boards can take now
While the Court in ASIC v RI Advice acknowledged that it’s “not possible to reduce cybersecurity risk to zero”, [7] Boards should take steps to ensure they have “adequate” cybersecurity risk management systems in place that take into account the risks for the business in its operations and IT environment. [8]
Practical steps for Boards include:
- determining what the company’s current cybersecurity posture is through assessing what policies and procedures are currently in place;
- identifying the cybersecurity risks the company faces in relation to:
o the types of data it handles and the risks that attach to that data if it was accessed or disclosed by an unauthorised party, or lost;
o its operations, products and services, and supply chain;
o its IT environment, hardware and software, remote working practices, and outsourced cloud or Customer Relationship Management service providers; and
o its people, cybersecurity awareness, training, and internal resources;
- determining the company’s ideal cybersecurity posture: the IT environment, policies and procedures needed to reach the strength of cybersecurity that adequately addresses the risks the company faces, taking into account the size of the company, its resources, common practice in its sector, and the risks in its particular goods and services, data it handles and customer base;
- assessing whether the level of cybersecurity expertise in current Board members enables the Board to effectively identify and manage the cybersecurity risks the company faces, and whether the Board should consider engaging directors with specific cybersecurity expertise or provide further and regular training to the Board specifically;
- assessing how often the Board discusses cybersecurity risks, what structure is in place for that discussion, and if that discussion should occur more regularly; and
- getting cybersecurity experts involved in IT, policy and operational perspectives. The Court in ASIC v RI Advice acknowledged that “cyber risk management is a highly technical area of expertise” and the assessment of “adequate” protections for a particular business should involve experts. [9]
While these steps may involve some expense at the outlay, they will mean that the Board will be better placed overall in understanding and fulfilling its obligations. It will also mean that the company will be better prepared for the cybersecurity threats facing it every day.
To ensure your Board understand their Directors’ Duties in relation to privacy law and cyber risk, our privacy + commercial lawyers are delivering tailored Privacy + Cyber Awareness Training for Boards. Ensure your Directors are equipped to meet their obligations, contribute appropriately in day to day risk management practices of the business, and be confident in their role, involvement and personal risk in the event of a data breach. Reach out here to discuss training for your Board.
Katherine Boyles is a Commercial Lawyer at Law Squared.
This article was first published in the May 2023 Law Institute Journal here.
[1] Attorney-General (Cth), Privacy Act Review (Report, 16 February 2023).
[2] Corporations Act 2001 (Cth) s 180(1).
[3] Ibid ss 912A(1)(a) and (h).
[4] ASIC v RI Advice, [26].
[5] Cassimatis v ASIC [2020] FCAFC 52, [75], [679].
[6] ASIC, ‘Cyber risk. Be prepared’ (15 July 2022); ASIC, ‘Key questions for an organisation’s board of directors’ (16 January 2023).
[7] ASIC v RI Advice, [55].
[8] Ibid.
[9] Ibid.