Directors' and Officers' Cyber Risk
All organisations have an essential reliance on technology, whether it be operational, administrative, to communicate, transact or otherwise. This reliance, and the possession of personal and confidential information can be broadly categorised into cyber and privacy risks. Beyond the significant financial, operational and reputational impact these risks can have on organisations, there is a now developing, direct global trend to hold Directors and Officers personally liable when things go wrong.
The ever increasing media reports might suggest this exposure is primarily in the form of data breaches and the subsequent data restoration and notification costs, but there is increasing exposure in lawsuits, regulatory action and government regulations. Recent lawsuits targeting directors and officers for their alleged failure to address cyber risk globally provide examples of potential liability as more regulations are passed around the world. Directors and Officers should be aware of the standards, becoming more formal that are being set regarding appropriate company cyber risk management.
Locally, ASIC have noted in its Cyber Resilience Report (Report 429: Cyber Resilience – Health Check), that the obligation on company directors and officers to discharge their duties with care and diligence extends to cyber security and resilience. Directors’ duties now include an obligation to ensure appropriate commitment to cyber resilience in an organisation’s corporate governance regime.
Directors now face personal liability for failing to implement appropriate cyber resilience in their organisation. While the business impacts and risks associated with cyber-incidents continue to grow, it can be difficult for directors and officers of the company to know where to start in discharging their cyber resilience duties.
Directors now face personal liability for failing to implement appropriate cyber resilience in their organisation.
ASIC has indicated that it expects directors to specifically consider:
1. How cyber risks impact on director’s duties and annual director report disclosure requirements;
2. Whether they have appropriate board-level oversight of cyber risks and cyber resilience; and
3. Whether consideration of cyber risks have been incorporated into the organisation’s governance and risk management practices, controls and measures for managing those risks.
Coupled with the above are new government regulations to which Directors and Officers must respond regarding corporate responsibility and disclosure on cyber risk. Whilst the Mandatory Breach Notification Scheme has received most of the headlines, there have been other regulations including European Union’s General Data Protection Regulation (GDPR) that have the potential to impact organisations and directors and officers.
The GDPR, effective May 2018, has been a big topic of discussion because it addresses, amongst other things, information collected and data breach responsibilities. As the GDPR focuses on the control, processing, and use of the data and information of European Union citizens (even if they are in Australia), and directors and officers are the ones responsible for implementing the corporate governance framework. Article 5(2) of the GDPR says that the “controller shall be responsible for, and be able to demonstrate compliance with, [the other data protection principles]”.
Beyond regulatory risks, organisations need to be conscious of other risks as well. Private actions aimed to hold Directors and Officers accountable for cyber risk in the United States is nothing new. Securities class action lawsuits, such as those against Wyndham, Heartland Payment and Target, were brought alleging breach of fiduciary duty when handling a cyber breach.
Specifically, the allegations in these actions against the D&Os were for failing to:
1. Implement and enforce effective internal controls over data security
2. Disclose the effectiveness of a company’s data security policies
3. Disclose the scope of the data breach, and
4. Exercise oversight duties on how a security breach could adversely affect the company’s business.
These claims often focus on alleged breach of duty when there is a failure to adequately implement cyber security defence in the first place, or involve failing to respond to, and otherwise monitor, cyber security plans after a breach has occurred. With Australia’s unenviable position as the second most litigious country in the world, it is merely a matter of time before we follow suit with such actions.
While the advantages of Information Technology usually outweigh the potential liabilities, Directors and Officers need to be aware of the risks posed by cyber exposure.
Organisations need to look at a three prong approach to such risk namely:
- Mitigation; and
It is important to implement written policies and procedures, and training, to provide guidance to officers and employees on applicable threats. They should also address measures to prevent, detect, and respond to such threats, and to monitor compliance with cybersecurity policies and procedures.
With organisation’s reliance on Information Technology, storage of varying levels of personal and confidential information and the associated business interruption this risk should be addressed at a board level, mitigated and insured with an appropriate Cyber Insurance policy.