It is now trite to say that directors' duties extend to cybersecurity matters. But what is the content of directors' duties in relation to cybersecurity?
The answer to this question has become more urgent as cybersecurity risks move front and centre with malicious actors taking advantage of the "opportunities" created by the COVID-19 pandemic, and as ASIC arguably moves from an "educational" role to that of an activist enforcer.
In its action last month against the RI Advice Group Pty Ltd (RI), ASIC alleges that RI failed to have and to implement adequate cybersecurity measures, contravening its obligations as a financial services licensee.
That action does not directly concern directors' duties, but as the first specific cyber-related prosecution by an Australian regulator it perhaps heralds a new-found willingness on the part of regulators to apply their enforcement powers to cybersecurity matters. It may mean directors and officers could face increased scrutiny for breach of their duties when cyber issues arise, including under ASIC's now well-trodden 'stepping stones' approach to prosecution for breach of duties.
The risk and harm are foreseeable
As part of a director's duty of care and diligence, directors need to balance the foreseeable risk of harm against potential benefits, and this duty will be understood by reference to the nature and extent of the foreseeable risk of harm.
Many Australian companies would be likely to identify cyber attacks as a key risk area, and it is increasingly well-understood that a cyber attack or data breach has the potential to materially adversely affect a company. Such adverse effects may include significant immediate costs incurred in responding to an incident, reputational and share price impacts and action by regulators, which may include substantial fines.
For the past 15 years, the Ponemon Institute has published annual studies on the costs of data breaches globally. In its 2020 study, the average cost of a data breach was estimated to be USD3.86 million globally, and USD2.15 million in Australia. Larger "mega breaches" are vastly more costly. Breaches affecting 1 million to 10 million records cost on average USD50 million, and breaches impacting more than 50 million records cost on average USD392 million.
What does this mean practically for directors?
- Understand the specific risk profile of your company:Companies which store large amounts of personal or sensitive information, or whose businesses rely on the security of personal information, are at higher risk. Companies in the healthcare, energy and financial services sectors, social media organisations and credit reporting bodies may fall into this category.
- Understand how cyber risks could affect your company:All directors should be sufficiently "cyber-literate", to understand how cybersecurity relates to their company's business and to bring informed judgement to such matters. Directors should ensure that they have access to experts with relevant expertise to support them. Higher risk companies might also consider appointing a director with real word cybersecurity skills – for example, a former Chief Technology Officer.
- Ensure the company's risk management framework appropriately deals with cybersecurity and data breaches that are relevant to the company: The ASX Corporate Governance Council's "Corporate Governance Principles and Recommendations" recommend that a company's risk management framework deals with these "emerging risks" and that boards review this framework at least annually to ensure that the framework remains sound and that the company is operating with due regard to risk. This may include considering whether the application of a recognised cybersecurity risk assessment framework is appropriate, such as the NIST Cybersecurity Framework. As has been seen in other areas, 'red' flag issues should be properly investigated and closed-out as soon as possible. Similarly, repeated issues that are not of themselves material might indicate a systemic issue that requires due attention. Insurance policies designed to respond to data breaches or cybersecurity incidents are increasingly part of many companies' risk mitigation strategies and should be considered as part of an overall risk management framework.
- Have oversight of the company's "cyber culture":Governance structures should ensure that cybersecurity risks are given appropriately senior attention and oversight. Cybersecurity is not simply an information technology issue: cybersecurity risk assessment and mitigation must also encompass processes, procedures and culture. Appropriate consideration should be given to: who in the organisation has direct executive responsibility for the organisation's cybersecurity practices and procedures; the reporting lines of individuals charged with cybersecurity management; the budget that will be available to implement and maintain cybersecurity measures; and the processes to review and increase that budget if the need arises.
- Have visibility of planning and handling of cybersecurity incidents:Directors should be satisfied that appropriate crisis management plans and business continuity measures are in place to respond if the company experiences a cybersecurity incident. We have written separately about what these plans might include here. Crisis management and business continuity plans should be regularly tested so that the company can have confidence that they will work and to ensure that staff and management are familiar with them, if called upon. Consider also how cybersecurity issues are represented in the organisation's committee structure, and how and at what level incidents are reported, to ensure appropriate board visibility.
 Ponemon Institute, 2020 Cost of Data Breach Report (2020) 23, 5.
 Ibid 10, 67.
 ASX Corporate Governance Council, Corporate Governance Principles and Recommendations, 27 (Recommendation 7.2). See also ASIC, 'Key questions for an organisation's board of directors'.