Directors’ duties and cyber security - it’s complicated
Effective management of cyber security risks is a core governance concern but the imposition of a new mandatory directors’ duty would be a step too far
According to the latest statistics from the Australian Cyber Security Centre (ACSC), Australia has seen a dramatic rise in cybercrime activity.
Between July 2019 and June 2020 approximately 60,000 cyber-attacks were reported in Australia – an average of 164 per day, or one every ten minutes.
Despite the undoubtable need for Australian companies to further improve their cyber-security risk management and governance procedures, a new mandatory governance standard for large companies is undesirable.
This is one of the options canvassed in the Federal Government’s recent discussion paper, Strengthening Australia’s Cyber Security Regulations and Incentives. The background is the need to incentivise businesses to invest in cyber security and make Australia’s digital economy more resilient to cyber security threats.
The other option suggested is a voluntary, principles-based (rather than prescriptive) governance standard, co-designed with the industry and aligned with international standards.
Both of these options are part of a suite of proposals in three areas: setting clear cyber security expectations, increasing transparency and disclosure, and protecting consumer rights.
It isn’t clear from the paper whether the proposed standards are to be imposed on companies or directors.
It seems that the intention is to apply them to companies given that the paper mentions ‘if not, why not’ compliance requirements in the Australian Securities Exchange Principles of Corporate Governance. It’s also not clear exactly what the voluntary standard would entail or how effective it would be.
A voluntary standard wouldn’t be without legal significance for directors.
As specifically stated in the discussion paper, a voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constituted a breach of directors’ duties.
Moreover, the paper suggests it’s likely that judicial expectations of what a reasonable director might do to oversee the management of cyber risk will rise in light of the increasing awareness of cyber security risks, the increasing number of attacks and the potential damage caused.
The sensitive nature of information relating to companies’ cyber security initiatives and breaches makes public reporting (which has been utilised in other areas like environmental, social, and governance) less appropriate.
But there’s also a pressing need for increased education and capacity building.
Even without a new mandatory or voluntary governance standard, directors may be liable where they don’t exercise care and diligence in relation to cyber security matters – particularly where the company is in breach of the law.
One way this may occur is via a ‘stepping stones’ action.
Stepping stones liability comes about where a company breaches (or potentially breaches) the law and a director is found to have failed to exercise reasonable care and diligence by causing the company to contravene (or failing to prevent the company from contravening) the law, where it is reasonably foreseeable that the contravention might harm the interests of the company.
The corporate regulator, ASIC, has brought a number of stepping stones actions in the last decade. It’s plausible that such an action could be brought in sufficiently serious cases.
An example would be where a company breached the requirements of Australia’s Privacy Act 1988 to take reasonable steps to protect information.
For example, if a board of directors were to turn a blind eye to the issue of cyber security, and that resulted in a breach of data security and/or privacy laws, an argument could well be made that the directors hadn’t complied with the requirements of the duty of care in allowing, or failing to prevent, the breach (by, for example, failing to implement an effective cyber security framework for the company).
At the same time, it must be recognised that directors cannot prevent every breach.
The problem with the proposed mandatory governance standard – which would require businesses to achieve compliance within a specific timeframe – is that directors are already in many ways overburdened by regulatory requirements and the spectre of personal liability.
Directors are subject to potential liability under a number of Commonwealth and state laws relating to areas like tax, employment, competition, the environment, workplace health and safety – not to mention corporate law.
The proliferation of bases of liability and related regulatory requirements also makes it increasingly difficult for directors to stay on top of, and comply with, their legal obligations.
Directors’ duties cannot do all of the heavy lifting in regulating businesses.
The need for accountability must be balanced with the adverse effects on director sentiment, willingness to serve on boards (or even continue business in Australia), as well as the costs of compliance and professional indemnity insurance.
Further, as has been seen in corporations regulation generally, the more detailed and prescriptive a duty becomes, the more likely it will fall victim to qualifications, exceptions and safe harbours. The result is compliance in form but not in substance.
The Government’s discussion paper recognises the cumulative impact of a mandatory standard on the level of regulatory burden, and the high costs that a standard like this would impose on businesses – which also might be passed onto consumers.
It also notes the potentially difficult interaction with the regulation of cyber security in other jurisdictions and the lack of a regulator with the relevant capacity to develop and administer a mandatory standard.
The paper’s recognition that a mandatory standard may be too costly and onerous is appropriate.
At the same time, there is no doubting the increasing frequency, scale and sophistication of cyber security incidents.
These incidents can inflict significant financial and reputational damage on companies and can also cause companies to be in breach of data protection requirements at times. Companies’ reputational interests are becoming increasingly important in terms of the application of directors’ legal duties.
So, managing cyber security risk is very important. Indeed, effective management of data and technology-related risks is a core governance concern in relation to which directors should exercise care and diligence.
Associate Professor Rosemary Teele Langford and Dr Andrew Godwin are co-editors of Technology and Corporate Law – How Innovation Shapes Corporate Activity published by Edward Elgar and is available online.
Banner: Getty Images