Cyber risk poses an unprecedented threat to businesses. The multitude of issues facing boards in the cyber security space is growing, and ignorance is no longer an excuse. Company directors are ‘on the hook’ for cyber security issues and developing cyber resilience needs to be at the top of every board’s agenda.
With increased scrutiny from ASIC and imminent changes to the Privacy Act 1988, it is essential that directors take responsibility for building cyber maturity. This is not just about the IT department – it requires an organisation-wide, multi-disciplinary approach, bringing together legal, technology and communications functions among others. As the threat environment is constantly changing, cyber risk is here to stay and demands continuous focus.
While the risks associated with cyber security make headlines on an almost daily basis, it can be difficult for company directors to know where to start to ensure they properly exercise their directors’ duties. The best approach is for directors to surround themselves with advisers who have relevant legal, technological and communications expertise to ensure they are taking a holistic approach to the issues.
At present, Australia does not have specific legislation relating to cyber security. This is in sharp contrast to jurisdictions such as the US and Europe, which have broader cyber security and data protection legislation. However, imminent changes to the Privacy Act will change this – at least in relation to personal information.
The changes will make it mandatory to give notice of certain data breaches, and it is expected this will have significant practical consequences for many businesses. When an incident occurs – whether it is a data breach or another cyber incident – there is often an understandable (although quite dangerous) ‘rabbit in the headlights’ scenario whereby boards are so busy responding to the technological aspects of this sort of crisis that the legal and communications requirements are temporarily forgotten. Preparation for these scenarios, encompassing all relevant issues, is critical and will be even more critical when the data breach notification legislation takes effect in 2017 (as currently expected).
Existing legislation already applies to cyber security
While there is not yet cyber-specific legislation in Australia, the existing legal framework does regulate these issues in a number of ways.
ASIC has made it clear that cyber security is a directors’ duty issue. The key duty is for directors to act with reasonable care and diligence. Therefore, directors face personal liability for failing to foster cyber maturity in their organisations.
Additionally, under the Corporations Act 2001, companies have a range of obligations regarding disclosure, business continuity, security and governance; each of these has the potential to touch the cyber security space. While online security may not yet be specifically addressed in the Corporations Act, it is clear that these parts of the existing legislation are highly relevant to cyber security. For listed companies, their continuous disclosure obligations are also relevant.
The Privacy Act already stipulates that companies must take ‘reasonable steps’ to protect personal information they hold from misuse, interference, loss, unauthorised access, modification or disclosure. If businesses are scrutinised on this point they can expect market practice to have some bearing on how they are judged; as Australia’s cyber security industry matures, the bar is only getting higher.
Inward focus no longer sufficient
It is essential for Directors to recognise that cyber risks extend to the supply chain of a business; this is relevant from both a legal and a practical perspective.
Legally, Australia’s privacy regulator expects entities to take appropriate steps to ensure that third parties meet the company’s own Privacy Act obligations.
Practically, given the prevalence of outsourcing certain IT functions, it is important for companies to consider these third parties when approaching cyber security. Policies and procedures which set out cyber security parameters should be a key element in contracts with third parties. Notably in the US, Target’s systems were hacked through the system of a third party vendor, resulting in 40 million stolen credit card numbers; this is a high profile example of how a supplier’s own weakness can have serious repercussions for a company.
Cyber security’s ‘brave new world’ has changed everything and directors need to be extremely thorough and proactive to mitigate the attendant risks.