3 minute read
Directors’ duties and cybersecurity
from Balance 1-21
DANIEL BARAC
INTERN WISELAW
Advertisement
Directors of public and private companies have strict obligations to shareholders under the Corporations Act and common law.
These duties are broadly categorised into two groups: duties of loyalty and good faith, and duties of care, skill and diligence. In a world where most communication is conducted online, particularly with the need to work from home, directors’ obligations to exercise reasonable care, skill, and diligence in their cybersecurity maintenance are more important than ever.
However, despite the ever-growing presence of cyber risks to corporations, the relationship between directors’ duties and these risks is still yet to be examined closely in Australian courts. That said, directors can face liability for gross cybersecurity failures under the Corporations Act, 1 the Privacy Act, 2 or even, in cases where the Director is also a solicitor or barrister, the Solicitor Conduct Rules. 3
Part of the duty of care and diligence is the need to weigh up the potential benefits of an activity against the foreseeable risks of that activity. Cyber-attacks are estimated to cost Australian businesses $29 billion per year,4 so most Australian companies would likely identify this as a significant risk. Cybercrime is often damaging to reputation, incurs immediate and substantial costs, and can reduce share prices.5 The seriousness of these risks means that Directors have a high obligation to take reasonable steps to offset this risk.
Section 180 of the Corporations Act 2001 obligates a director or officer of a corporation to exercise their powers with the degree of care and diligence that a reasonable person would if they had that role or responsibilities.6 But what would a reasonable person do? What standard of care is expected of directors, and how does this affect the need to exercise reasonable care to ensure the company remains protected against cybercrime?
Daniels v Anderson states that, at minimum, directors must acquire a basic understanding of the business.7 In a cybersecurity context, they must understand the risk profile associated with their particular industry and understand the relevance of the basics of cyber-attacks and how an attack may infiltrate business data. For example, Directors of companies in financial and healthcare sectors may need to understand that, due to the sensitive nature of the client information they store, their risk profile is >
FINDING IT HARD TO KEEP IT TOGETHER?
LawCare: Caring for the legal profession in the Northern Territory
The Law Society NT funds a professional, confidential and free counselling service for our members and their immediate family, provided through Employee Assistance Service Australia (EASA). If you are experiencing workplace, personal or emotional issues which are affecting your work or personal life, please call LawCare via the EASA Program 24-hour support line on 1800 193 123 or visit their website at www.easa.org.au.
NT toll free: 1800 193 123 Darwin: (08) 8941 1752 Alice Springs: (08) 8953 4225
When booking an appointment, please inform the operator that you are a Law Society NT member.
This service is completely confidential. The Society will only receive statistical information on the numbers accessing the service. higher, requiring them to implement stronger cybersecurity protections commensurate to this risk.8 The Australian Institute of Company Directors also emphasises that IT and cybersecurity are board level issues which impact the entire company, and must be treated with requisite expertise.9
In Report 429, the Australian Securities and Investments Commission (ASIC), the primary regulator of directors’ duties, clarified that a director’s failure to meet obligations and manage cyber risks could result in their disqualification.10 Under the Corporations Act, directors may also be liable for fines of up to $200 000 for breaches of their duties.11
Directors could also be liable for a breach of the Privacy Act where they engage in, assist, or know of privacy violations regarding personal or confidential information.12 If the director responsible were also a solicitor, such collaboration would undoubtedly also breach the Director’s obligation to not disclose confidential information under the Solicitor Conduct Rules. 13
In summary, while the exact extent of the obligation for Australian company directors to have sound cyber awareness is yet to be clarified, this is something that directors must prioritise to protect the wellbeing and security of their organisation and their own standing. Serious failures to ‘implement measures which are reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience’ will amount to a breach of director duties.14
Endnotes page 58-59
info@wiselaw.com.au www.wiselaw.com.au 0447 534 023 @twitter.com/WiseLaw3 @facebook.com/1WiseLaw
