News

ASIC’s spotlight on cyber security: Implications for company directors

In a March 2024 keynote speech, Australian Securities and Investments Commission (ASIC) chair Joe Longo observed, in an expression of self-described ‘tough love’, that ‘[b]eing a director isn’t easy – if it were, anyone could do it’.

Speaking at the Australian Institute of Company Directors’ Australian Governance Summit, Mr Longo was discussing the difficulties directors face in complying with their duties, given the growing demands on directors in the context of the ‘ever-increasing complexity’ of the business world. He placed particular emphasis on the risks of cyber attacks, stating:

“Let me be especially clear here, it is a foreseeable risk that your company will face a cyber attack…as a director you have to make it your business to be across questions of cyber resilience and make cyber security a priority. History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility”.

Mr Longo’s speech is the latest in a series of warnings issued by ASIC in recent months about the growing risk of cyber attacks, and the need for directors and companies to take cyber security and cyber resilience seriously.

Since Mr Longo’s September 2023 address to the Australian Financial Review Cyber Summit and the release of ASIC’s November 2023 report Spotlight on Cyber: Findings and Insights from the Cyber Pulse Survey 2023, there has been a steady stream of media coverage of ASIC’s increased focus on cyber security, and its foreshadowed intention to target directors and executives that do not adequately prepare for cyber attacks.

In this article, we consider the recent coverage, the key findings of ASIC’s Spotlight on Cyber report, and potential implications for company directors in the context of potential personal liability for breach of directors’ duties. We also consider the lessons arising from the decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (RI Advice).

ASIC’s recent spotlight on cyber security

In September 2023, Mr Longo foreshadowed ASIC’s intention to ‘make an example’ of boards and directors who are ill-prepared for cyber attacks by taking enforcement action against companies that do not implement adequate cyber security measures.

Mr Longo emphasised that cyber security and cyber resilience ‘are not merely technical matters on the fringes of directors’ duties’ but must be adequately addressed as part of an organisation’s risk management framework:

“For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”

Mr Longo also reportedly commented that:

“If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses… in the right case ASIC will commence proceedings if we have reason to believe those steps were not taken”.

The September address previewed initial findings from ASIC’s Cyber Pulse Survey that third-party suppliers and vendors pose a particularly critical risk. Mr Longo emphasised the risks associated with relying on third-party service providers and suppliers, concluding that ‘all the evidence points to third-party suppliers as a clear vulnerability in many organisations’ cyber preparedness’.

Findings of the November 2023 Cyber Pulse Survey

ASIC released its report on the Cyber Pulse Survey in November 2023. The survey measured participants’ ability to govern and manage organisation-wide cyber risks; identify and protect information assets that support critical services; and detect, respond to and recover from cyber security incidents.

The survey results revealed that:

  • most organisations are reactive in managing cyber security, rather than proactive;
  • there are gaps in cyber security risk management of critical cyber capabilities;
  • many organisations are not cyber mature, with survey participants recording a weighted average cyber maturity score of 1.66 on a scale of 0 to 4; and
  • small organisations consistently reported lower levels of cyber maturity capability than medium and large organisations, lagging behind in supply chain risk management, data security and consequence management.

In particular, the report highlighted that:

  • 44% of organisations did not manage supply chain or third party risk, and organisations needed to consider the risks posed by external third parties (such as vendors, partners, suppliers, contractors or service providers) with access to internal or confidential information;
  • 58% of organisations had no or limited capacity to protect confidential information adequately;
  • 33% of organisations did not have a cyber incident response plan; and
  • 20% of organisations had not adopted a cyber security standard.

With respect to governance and risk management, ASIC reported that ‘[a] concerning 69% of participants indicated they had minimal or no capabilities in supply chain and third-party risk management’, and that 58% of participants did not test cyber security incident responses with critical suppliers.

The report noted that the design, implementation and effectiveness of a cyber security framework or standard ‘must be set from the top and monitored by the organisation’s leadership. Leaders should be well informed about the organisation’s key cyber risks, implications of cyber control failures (including response arrangements) and status of cyber controls’.

ASIC also observed that whilst most participants had well-developed capabilities to investigate and respond to cyber incidents, best practice would include ensuring ‘executive leadership buy-in and sponsorship of the cyber incident response plan because a clear commitment from senior management is essential for its success’.

In ASIC’s media release announcing the report’s findings, Mr Longo reiterated the regulator’s expectation that all organisations must treat cyber security and cyber resilience, including oversight of cyber security risk throughout their supply chains, as a top priority.

He remarked on the need to ‘go beyond security alone and build up resilience’, stating that ‘[a]n effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards’.

 

Implications for compliance with directors’ duties

ASIC’s announcements indicate that it intends to investigate and prosecute cyber security incidents from a corporate governance perspective, focusing on whether individual directors and other company officers have complied with their duties to the company. Under the Corporations Act 2001 (Cth), directors and other officers of corporations are required to exercise their powers and discharge their duties ‘with the degree of care and diligence that a reasonable person would exercise’ if they were in that director or officer’s position: s 180(1). Directors and officers also owe statutory duties:

  • to exercise their powers and discharge their duties in good faith in the best interests of the corporation, and for a proper purpose (s 181(1));
  • not to improperly use their position to gain an advantage for themselves or someone else, or cause detriment to the corporation (s 182(1)); and
  • not to make improper use of information obtained in the course of their role to gain an advantage or cause detriment to the corporation (s 183(1)).

Whilst these duties have been the subject of extensive judicial consideration, they are yet to be assessed in the context of cyber security, as ASIC is (to date) yet to formally prosecute any individual directors or officers for breach of directors’ duties arising from failure to implement adequate cyber security measures in their organisation. As such, it is difficult to say with any certainty the precise legal standards that a court would apply in assessing the adequacy of the steps taken by company directors and boards to ensure the organisation has sufficient cyber security measures in place, or in determining whether a director contravened one or more of their duties by reason of their organisation’s failure to implement adequate measures.

However, based on the matters emphasised in ASIC’s announcements and the Spotlight on Cyber report, relevant considerations could include:

  • the extent to which the organisation takes a proactive, rather than reactive, approach to evaluating and managing cyber risk (including supply chain and vendor risk);
  • whether the organisation has conducted comprehensive risk assessments and implemented a clear, detailed cyber risk management strategy as part of overall good corporate governance and risk management;
  • the steps taken by the organisation to identify confidential and critical data, personal information, critical systems that need to be protected and vulnerable systems and assets, and implement appropriate security measures to safeguard those key assets;
  • the extent to which the organisation evaluates and effectively manages cyber security risks arising from reliance on third party providers, such as by conducting pre-contractual due diligence on prospective providers and monitoring their compliance on an ongoing basis;
  • the extent of board and senior management oversight of cyber security risk throughout the organisation’s supply chain;
  • whether the organisation actively assesses its cyber risk on an ongoing basis;
  • the measures put in place to prevent, detect, manage and respond to cyber attacks, as part of the organisation’s overall cyber resilience;
  • whether the organisation’s cyber security measures are proportionate to the nature, complexity and size of the organisation, and the sensitivity of the key assets held;
  • whether the organisation has in place a clear, comprehensive response and recovery plan for responding to data breaches or other significant cyber security incidents, which identifies (among other things) the procedures to be implemented and relevant stakeholders’ roles and responsibilities, including with respect to communicating with external parties (such as affected customers, regulators and the market); and
  • whether the organisation tests its cyber incident response plan regularly.

Mr Longo has also previously commented on the need to address the ‘disconnect’ between important elements of an organisation’s overall cyber security framework, including board oversight of cyber risk, management reporting of cyber risk to the board, management’s identification and remediation of cyber risk, cyber risk assessments, and how cyber risk controls are implemented. The extent to which an organisation (and its directors and senior management) address these disconnects is also likely to be relevant to the assessment of whether the directors have complied with their duties.

 

Corporate liability for failure to manage cyber risk: RI Advice

Although the adequacy of a corporation’s cyber security measures remains untested in the context of directors’ duties, it was considered in the context of Australian financial services (AFS) licence holders’ obligations in RI Advice, a 2022 Federal Court decision.

To date, RI Advice is the only instance of ASIC taking court action against an Australian company for failings in cyber security preparedness. As such, whilst directors’ duties involve different legal considerations to the obligations imposed on AFS licensees, the decision offers valuable insights into how courts might assess the adequacy of an organisation’s cyber security measures in future.

In a previous article written at the time of the decision, we described the factual background of RI Advice, the Court’s findings and the main takeaways for AFS licence holders.

AFS licensee RI Advice was accused of, and later admitted, contravening sections 912A(1)(a) and (h) of the Corporations Act for failing to have adequate cyber security risk management systems in place. RI Advice provided financial services under a third-party business owner model, in which its authorised representatives (ARs) provided financial services on its behalf. In providing those services, the ARs electronically received, stored and accessed confidential and sensitive personal information and documents in relation to their retail clients.

Between June 2014 and May 2020, RI Advice’s ARs were targeted in nine separate cyber security attacks, enabling third parties to gain unauthorised access to clients’ sensitive personal information.

The Court found that RI Advice had contravened its licence obligations by failing to do all things necessary to ensure the financial services covered by its licence were provided fairly and efficiently, because it had failed to:

  • ensure adequate security measures were in place or adequately implemented across its AR network; and
  • have adequate risk management systems, by failing to implement adequate cyber security and cyber resilience measures, thereby exposing its ARs’ clients to an unacceptable level of risk.

Significantly, Rofe J observed at [58]:

“Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level”.

Her Honour also considered that cyber security risks, cyber risk management and building cyber resilience – including what constitutes an ‘adequate’ response to such risks – required ‘an appropriate assessment of the risk faced by a business in respect of its in respect of its IT environment and operations’, and that given the highly technical and specialised nature of cyber risk management, such an assessment would need to be conducted by a relevantly skilled person: [46].

Rofe J observed that the relevant standard for cyber risk management could not be assessed by reference to public expectations, but ‘[r]ather, the adequacy of risk management must be informed by people with technical expertise in the area’: [47].

In relation to the assessment of ‘adequate risk management systems’, her Honour similarly noted that ‘cyber risk management is a highly technical area of expertise. While the standard of “adequacy” is ultimately one for the Court to decide, the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field’: [55].

This suggests that, if and when courts assess whether an organisation’s directors have complied with their duties by implementing adequate cyber security measures, expert evidence will be relevant to the assessment of the adequacy of those measures.

 

Conclusion

By now, the ever-growing risks of cyber attacks are well-known among company directors and senior executives. Still, ASIC’s recent conduct demonstrates that mere awareness or concern about cyber security risks is not enough.

ASIC reportedly intends to pursue a ‘riskier’ strategy of ‘targeted, strategic litigation’ in 2024 to protect consumers and investors from poor corporate governance, and send a message to companies. In light of ASIC’s repeated warnings, it is clear that enforcement action against directors and senior executives who do not adequately prepare for cyber attacks is likely to form part of that litigation strategy in the near future.

RI Advice was a cautionary tale for organisations about the consequences of failing to manage cyber security risks for corporations. ASIC’s intensifying focus on directors and executives clearly indicates that those consequences will now apply to individuals as well.

 

Thaw Thaw Htin

Principal

Aparna Jayasekera

Senior Associate

Disclaimer: The information published in this article is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.

Related articles

How your Western Australian postcode could affect your success in a defamation case

On 26 June, The Sydney Morning Herald published an article by Michaela Whitbourn titled, ‘How your postcode could affect your success in a defamation case’. The piece considered how defamation laws around …

arrowRead article

ESG Litigation: a case of Active Greenwashing

The recent decision of the in Australian Securities and Investments Commission v LGSS Pty Ltd [2024] FCA 587 (LGSS) provides an example of successful regulatory enforcement action against greenwashing and contains valuable …

arrowRead article

Trusts & the Doctrine of Merger: Can a trust exist where the sole beneficiary and sole trustee of a trust are the same person?

In Adamstoun Holdings Pty Ltd v Brogue Tableau Pty Ltd (‘Adamstoun’), the Western Australian Court of Appeal considered the rationale for the extinguishment of a trust where a sole beneficiary becomes the …

arrowRead article