This article was co-authored with Liam-Shiel-Dick
Over the past 5 years, Australia has experienced a noticeable surge in cybercrime activity. During the 2020-21 financial year alone, the Australian Cyber Security Centre reported over 67,500 cybercrime incidents, which represented an increase of nearly 13 per cent from the previous financial year. The recent cyber breaches involving some of Australia’s largest telcos is testimony that no company is immune. A number of interconnected trends have contributed to this surge, including:
- the exploitation of the pandemic (and post-pandemic) environment;
- the exploitation of global supply-chain vulnerabilities;
- an increase in the profile and impact of ransomware; and
- the disruption of essential services and critical infrastructure.
As a result, now more than ever directors of Australian companies ought to be aware of the risks and challenges that the threat of cybercrime poses to their companies.
The challenge
Not only are boards confronted by the challenge of managing the threats themselves, but also the difficulty of managing the complexity and pace of the associated regulatory reforms. Regulators (including the OAIC, ACCC, ASIC, and APRA) are scrutinising cybersecurity practices by using expanded supervisory and enforcement tools, which enable them to hold companies to account in unprecedented ways.
There is also an increasing regulatory trend towards the application of existing legal regimes, many of which were not originally intended to address cybersecurity.
The recent decision of the Federal Court of Australia in Australian Securities and Investments Commission v RI Advice Group Pty Limited [2022] FCA 496 (RI Advice) is instructive in this regard, and placed boards on notice that failures to adequately understand and manage cybersecurity and cyber resilience risks will not be tolerated by Australia’s key regulatory agencies. Our article on this case can be found here.
Significantly, RI Advice Group had actually taken a number of steps towards the management of cybersecurity risk for its network of authorised representatives, and among other things, had in place contractual 'Professional Standards' and an incident reporting process.
Notwithstanding, the Federal Court found that RI Advice had breached its license obligations to act ‘efficiently and fairly’ when it failed to have adequate risk management systems to manage its cybersecurity risks. When handing down judgment, Justice Rofe made clear that cybersecurity should be front of mind for all licensees, stating:
‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’
Interaction with directors' duties
Companies should have regard to the decision in RI Advice in the context of all of their cyber security obligations, particularly where those obligations might be said to interact with existing common law or statutory duties: for example, the directors duty to act with care, skill and diligence pursuant to section 180(1) of the Corporations Act 2001 (Cth).
As a starting point, RI Advice emphasises that effective cyber risk management is an essential aspect to adequate risk management systems and confirms ASIC’s ongoing focus on cybersecurity risks.[1] Combined with the imposition of other legislative reforms, such as the Security of Critical Infrastructure Act 2018 (Cth) (SOCI), which mandate the implementation of cyber risk management programs for responsible entities, it is clear that effective cyber risk management should be a key area of focus for all companies and their directors.
Further, RI Advice confirms that in ascertaining responsibility for cyber incidents, courts will have regard to the relevant context, including the operations, business model and impact of the incidents themselves. For directors’ duties, this means the court may decide that in analysing the ‘corporation’s circumstances’, actual and potential exposure to cyber security risks within the entity’s business and operations (e.g. any prior cyber incidents) and the wider industry are relevant considerations.
In this sense, courts might look to ‘overlapping’ obligations to assess whether a breach of directors duties has taken place. For example, in the context of the SOCI regime the existence of a mandatory reporting regime for cyber incidents may be regarded as important in assessing the ‘corporation’s circumstances’. When a company is subject to this type of compliance obligation, it arguably increases the expectation on directors to ensure that the company has systems and processes in place to detect such incidents and escalate for assessment and reporting in a compliant manner.
Overall, RI Advice sends a strong message to companies and their directors that it is no longer reasonable to regard cyber-security as a technical and peripheral concern. Rather, cybersecurity and the threat of cyber-crime is essential to the proper discharge of directors’ duties. We think it is likely that directors will face increased scrutiny for breach of the section 180 duty when cyber security issues arise.
Key lessons
In light of RI Advice, the ongoing focus of ASIC on cybersecurity, the imposition of the SOCI laws, and the evolving cyber risk environment, it is clearly within the court and ASIC’s expectations that directors should turn their mind to whether the design and operation of the company’s cybersecurity and cyber resilience risk management systems are adequate.
With this in mind, we set out below a few ‘key lessons’ from which we think company directors and executives might benefit to ensure compliance with their duties:
- Ensure that cyber-risk assessments are updated with an appropriate frequency, dependent upon the organisation’s context and business model. Where risks are evolving rapidly, update with increased frequency - annual review may no longer be appropriate;
- Adapt cyber-risk assurance processes to be commensurate with the risks posed by your digital supply chain. Ensure that alternate assurance processes or multi-factor assessments are used when operating in a heightened risk environment; and
- Maintain compliance with the right standards. Cybersecurity risk management is now subject to a standard of legal reasonableness. In house and outside advisors have a significant role to play in helping executives assess and operate an organisation’s cybersecurity risk management systems, processes and responses.