In light of the increasingly sophisticated cyber threats being faced by many businesses, the Australian Government is planning to introduce a new set of standards to enhance the cyber governance landscape, which are likely to have far-reaching effects on how companies – and their directors – manage cyber security risks.
As the scope of directors’ duties broaden and the measures of accountability for cyber security practices sweep into the boardroom, organisations will need to take action to ensure they are in the best possible position to mitigate cyber threats.
In July 2021, the Australian Government released the Strengthening Australia’s Cyber Security Regulations and Incentives discussion paper (Discussion Paper) as part of its $1.67 billion 2020 Cyber Security Strategy.
The Discussion Paper addresses a variety of cyber-related issues, but one key recommendation calls for the introduction of cyber security governance standards (voluntary or mandatory) applying to businesses not currently covered by sector-specific cyber governance rules – around two thirds of ASX 200 companies. The Discussion Paper sets out two potential governance standards:
- Voluntary governance standards for larger businesses describing the responsibilities and processes for managing cyber security risk.
- Mandatory governance standards which larger businesses would need to comply with in a specific timeframe.
These proposed standards will likely impact the application of the directors’ duties under the Corporations Act 2001 (Cth) (Corporations Act) by shaping the scope of reasonable conduct that is expected of directors in respect of cyber security risk. While only presented at a high-level to date, the substance of the standards will be further clarified once the government has considered the public consultation submissions (which closed 27 August 2021).
The cyber governance landscape
There are currently a number of sector-specific regulations which address cyber risks, including:
- the Australian Prudential Regulation Authority’s CPS 234, which applies to banks and deposit-taking institutions, and attributes responsibility for a company’s information security to the board;
- the Security of Critical Infrastructure Act 2018, which establishes a range of ‘enhanced cyber security obligations’ in respect of critical infrastructure assets; and
- the recent Ransomware Payments Bill 2021, which proposes the introduction of mandatory reporting of any ransomware payments to the Australian Cyber Security Centre.
More broadly, the Australian Securities and Investments Commission (ASIC) has stated that the directors’ duties under the Corporations Act may govern directors’ management of a company’s cyber risks. However, the Discussion Paper highlights that the existing directors’ duties lack the clarity and coverage necessary for enforcement to occur – there are currently no domestic cases where directors’ duties have been found to have been breached by cyber security failures.
In particular, the Discussion Paper describes the following factors as contributing to this ineffectiveness:
- the Corporations Act was not originally intended to address cyber security issues;
- the broad scope and principles-based nature of director’s duties; and
- directors’ duties are focused on protecting the interests of shareholders, rather than customers.
The impact on directors’ duties
The introduction of cyber security governance standards (voluntary or mandatory) setting out responsibilities for directors in managing cyber risk would clarify the operation of the directors’ duties. For example, section 180 of the Corporations Act provides that directors must exercise their powers and perform their duties with the degree of care and diligence that a reasonable person would exercise if they:
- were a director or officer of a corporation in the corporation’s circumstances; and
- occupied the office held by, and had the same responsibilities within the corporation as, the director or officer.
There are minimum standards of care expected of all directors. For example, a director must:
- acquire a basic understanding of the business;
- be continually informed about the activities of the company; and
- generally monitor the business’ affairs.
In assessing whether a director has contravened their duty of care, the court will attempt to ‘characterise’ the director according to the reasonable standard of care – that is, the court will identify what the director ought to have done with reference to existing case law, general industry practice and established standards (such as those described above).
The introduction of the cyber security standards will directly inform the characterisation of the director, and the conduct the director is expected to undertake in complying with their duty of care. According to the Discussion Paper, the standards will assist the court in defining the types of cyber risk failures that will constitute a breach of the directors’ duties. Additionally, the standards will likely help to frame and complement the operation of other duties under the Corporations Act such as the corporate disclosure obligations (e.g. where a director fails to disclose a cyber breach likely to impact the value of a company’s securities) and the duty to act in the best interests of the company and for a proper purpose.
It is unclear how the standards will be published and implemented at this stage (i.e. through amending legislation or a separate enforceable standard) and whether an independent regulatory body will be established to manage compliance with the standard. The Discussion Paper notes there is currently no regulatory body with the requisite expertise or resources to administer a mandatory standard for all large businesses.
However, we expect the formulation of the cyber standards to empower ASIC with sharpened tools to better enforce directors’ and company officers’ management of cyber threats and risks, potentially opening up the suite of liability and enforcement options under the Corporations Act (e.g. civil penalties, disqualification or orders to pay compensation).
While it is not envisaged that the proposed standards will implement specific technical controls, they are likely to have far-reaching effects on the way companies deal with cyber security risks. In particular, the standards will solidify the risk of directors being held liable for breaches of their Corporations Act duties in the event their companies do not have the necessary risk management framework in place to safeguard against cyber threats.
This article is part of our publication Continuity Beyond Crises: Staying ahead of risk in an evolving legal landscape. Read more here.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.