Are directors liable when cyber security is breached?
Boards are struggling to keep up with an ever-growing risk
Most Australian company directors know they need to oversee their organisation’s cyber risks, but many aren’t adequately prepared and risk prosecution from the regulator in the event of a breach.
At UNSW Business School, Kayleen Manwaring and Pamela Hanrahan are researching how liable directors are for cyber breaches in Australia and find that they are more at risk of prosecution than their US counterparts, particularly given the tools available to Australia’s corporate regulator to hold directors accountable.
“The political climate at the moment is very much about individual heads on sticks,” says Hanrahan, a professor and research director in the school of taxation and business law.
A recent survey of directors of Australia’s largest 100 listed companies revealed that while many of them recognise that overseeing cyber risk is a board responsibility, many boards are not adequately carrying out that function.
The ASX 100 Cyber Health Check Report found that the board (or one of its committees) is directly responsible for holding management to account on cyber risk in the vast majority of ASX 100 companies, with only 3% delegating this role to an executive committee.
The majority of boards (88%) receive management reports on cyber security incidents and more than two-thirds review their cyber security strategy at least once a year.
However, the quality of reporting can be improved, with 54% of directors saying the description of cyber risk’s implications is basic in the corporate risk radar. And nearly two-thirds also say they don’t yet have a set of standard cyber security metrics, or don’t know if they do.
“Even though the Australian Securities and Investments Commission (ASIC) is saying that it’s the board’s responsibility, and ASX 100 boards are saying they accept it’s a board responsibility, the quality of the information and the understanding that they have may not be sufficient to discharge that responsibility and that’s creating legal risk,” Hanrahan says.
“When you look at the numbers in the ASX survey, you realise that the majority of directors feel like they’re not getting good quality reporting or very detailed reporting, or they don’t understand the reporting or the metrics.
“Then the risk is that ASIC will say, ‘Well, that’s negligence’. If there’s some kind of failure on cyber resilience, they’ll come after those individuals.”
'The political climate at the moment is very much about individual heads on sticks'PAMELA HANRAHAN
The primary legal question for directors is whether they have adequately discharged their duty of care.
“They may well be exposed to liability for breach of the duty of care if they fail to take some step that’s expected of them by ASIC in understanding and managing risk,” says Hanrahan.
Claiming they didn’t have enough information or didn’t understand what they had would not be a sufficient defence.
“It would be difficult for a board to say, ‘On the one hand, we’ve indicated that we don’t have the information we need or if we get it we don’t understand it, but on the other we haven’t taken any steps to fix the problem’ – that feels a fair bit like negligence to me,” she says.
So far no directors have been prosecuted by ASIC, nor have they been the subject of a class action lawsuit for any cyber or privacy incidents, but Hanrahan says this is because “we haven’t had the right factual circumstances to trigger an action against individual directors in Australia”.
ASIC is direct about what it expects the boards to be doing and the level of oversight that it expects of them. In its Cyber resilience: Health check of March 2015, it states: “Effective corporate governance should involve active engagement by directors and the board in managing any applicable cyber risks.”
The corporate regulator encourages directors to review their board-level oversight of cyber risks and cyber resilience as part of their management of material business risks. Directors should consider if they need to incorporate greater consideration of cyber risks into their governance and risk management practices.
Hanrahan says Australian directors are at greater risk than their US counterparts for cyber breaches because in Australia the regulator can bring proceedings against a director for ordinary negligence. Further, they cannot rely on the business judgment rule to avoid liability, because these kinds of decisions about regulatory compliance are not business judgments.
“Australian directors can be the subject of proceedings for breach of the duty of care even though the company itself didn’t suffer any loss, whereas in the US, because you have to prove loss in order to have a private action, it changes the dynamics. It changes the risk dynamics,” she says.
'It’s just the complexity of the technology and the fact that it’s not something where directors generally have really had to deal with this before'KAYLEEN MANWARING
Fast moving threats
Manwaring, a lecturer in the school of taxation and business law, says the risk of prosecution will increase when mandatory data breach notification laws take effect in the coming months.
Under the legislation, organisations that have been breached or have lost data in circumstances where there is a “likely risk of serious harm” will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach.
“If you’ve got a whole lot of consumers or shareholders knocking down ASIC’s door and saying, ‘Why aren’t you doing anything about this?’, I think that’s going to exacerbate the risk,” she says.
According to Manwaring, the threats are fast moving, which means it is difficult for anyone who doesn’t work full-time in cyber security to keep up.
“It’s just the complexity of the technology and the fact that it’s not something where directors generally have really had to deal with this before,” she adds.
“Where risks come from, and the sort of steps that you have to take to protect against them, is different in the sense that the technology is changing the underlying threat.”
Manwaring says many directors are playing catch up, and notes that the ASX-100 cyber survey shows that while 88% of boards receive management reports on cyber security incidents, more than one-fifth of them only established this procedure during the past 12 months.
Few good metrics
David Owen, a partner in cyber security and privacy at Deloitte Australia, says the risk environment “is becoming more diverse” – that is, there are more ways an organisation can be compromised.
Owen nominates third-parties and sharing data as significant risks: “Many organisations continue to have low understanding around which suppliers have sensitive data, and how to seek assurance on how well suppliers are managing and protecting information.”
And detecting cyber breaches is also a challenge for organisations. Owen notes that in the recent M-Trends 2017 breach report, there is an average period of three months between the first point of entry and the company becoming aware of the breach, which provides a significant window of time for an attacker to move laterally inside the network to steal information or attempt fraud.
It can be difficult for a board member to get an understanding of how well prepared their organisation is.
“It’s a challenge for organisations to have good metrics to use to get a realistic sense of how mature they are compared with the rest of the market,” Owen says.
Directors need to be confident that the cyber risks are adequately reflected within the organisation’s risk framework. Directors also need to ask questions about resilience and response to incidents.
Nigel Phair, whose company DirectorTech advises boards on risk management in the use of technology, says the first step a board needs to take is to identify the information they want to protect, be it intellectual property, a customer database or credit card numbers.
“That’s when I start asking the questions of management: ‘Have you worked out what’s got to be protected?’ If they haven’t, then that’s a big red flag,” says Phair, who is also a council member of the Australian Institute of Company Directors.
The next question is what controls are they putting in place and how much money are they spending. This is difficult to assess, because the return on investment on security isn’t easy to determine, because it’s money spent on something that may or may not happen, Phair says.