Mon, Feb 13 2017
In a March 2016 Washington Post opinion piece, Apple's head of software engineering Craig Federighi suggested that, “security is an endless race – one you can lead but never decisively win. Yesterday’s best defences cannot fend off the attacks of today or tomorrow”. Even though cybersecurity is an emerging and relatively new and unfamiliar technical territory for most company directors, fiduciary duties are not. The real test for directors is how to appropriately meet those duties in this new context. Whilst the law may agree to the extent that perfection is not the standard of liability for cyber attacks and data breaches, it does require directors to take reasonable steps to be aware of the issues that affect their obligation to manage cyber risks.
Cybersecurity is at, or near the top, of the list for corporate risk. Cyber breaches also raise the potential for personal exposure to directors. ASIC identified cyber resilience as a key priority signalling increased regulatory scrutiny of this issue in its Corporate Plan 2015-2016 to 2017-2018. While the Allianz Risk Barometer 2016 identified cyber risk events (i.e. cyber-crime, data breaches, IT failures) as one of the top 3 business risks.
A failure to become familiar about and to consider (such as in the board minutes) the company’s information, communication and telecommunication systems and threats to those systems, could expose directors to a lawsuit. This is especially true if a court were to find that disregard of the boards’ obligations of risk oversight can be considered bad faith on the part of the directors. For example, if a company’s network is breached, allowing third party access to customers’ data, its directors could be found liable for a failure to implement adequate data-security mechanisms. A company’s failure to disclose, in a timely manner, the data breaches after they occurred can also form a basis of a claim.
Directors have a duty to discharge their duties with care and skill. This duty is imposed on directors by, inter alia, s180 (1) of the Corporations Act 2001 (Cth). This duty would require that a director assess risks that could harm the interests of the company. Cyber risk is a risk that could seriously harm the interests of the company. It therefore follows a breach of a directors’ duty of care and diligence, represented by a failure to ensure the company took reasonable measures to protect customers’ personal and financial information could expose them to liability. This is especially the case if the directors are well aware that a data security breach is a substantial risk factor for the company. Cyber attacks on comparable companies should alert directors to the heightened probability that it can also be attacked. In fact, ASIC’s commissioner, Cathie Armour, recently commented that “...directors should be actively thinking about whether cybersecurity should be assessed more regularly than other risks”.
Managing the risk
Given the growing importance of cybersecurity, boards may consider creating a dedicated risk management committee so as to provide the focus the issue requires. Many boards lack the technical skills and expertise required to adequately assess whether management is taking appropriate steps to address cybersecurity issues. Some have suggested that boards may therefore consider cyber risk education for board members; or adequate representation of board members with an understanding of cybersecurity.
A survey from The Ponemon Institute and Fidelis Cybersecurity underscores the divide between boards and information technology professionals. Of the 245 company directors and 409 information technology security professionals surveyed, 59 percent of board members believed their organisations’ cybersecurity governance practices were very effective; while only 18 percent of information technology security professionals believed the same. The study also showed that about 60 percent of information technology security professionals believed the board did not understand the cybersecurity risks of the organisation; compared to 70 percent of board members who believed they understood the risks.
In overseeing cybersecurity efforts, directors should consider their involvement as covering two broad areas. The first is the risk mitigation associated with deterring or preventing the impact of a cyber attack and the second is managing the crisis after the attack occurs. In both cases the board or the relevant board committee should carefully document its business judgment. This should include the consideration given to reports about data security, of actions taken or actions avoided in response to potential security breaches, any advice sought and whether or not the board acted on that advice.
Companies are also beginning to buy cyber insurance coverage to mitigate the potential financial losses incurred following a cyber breach. Insurances companies will still require that insureds prove the adequacy of their data protection measures. While cyber insurance policies can help ease a company’s financial liability risk, they cannot prevent a cyber breach or cover the full financial impact of brand damage and loss in shareholder value.
Given that cyber attacks are only going to persist, boards need to be mindful of actively exercising prudence and diligence in monitoring corporate cybersecurity matters on a continuing basis in order to fulfil their corporate duties and mitigate their liability risk.
About the author:
Gordon Owili is a Certified Finance and Treasury Professional, a Fellow of Finsia and a Certified Insurance Professional. Gordon has several years’ experience in law, finance and risk management. He has worked at EY, BHP Billiton, Honeywell and Veolia. Gordon has an LLB, a BSc (Biomedical Science), a Graduate Diploma of Applied Law (specialising in Commercial Litigation), an MBA (specialising in Finance), a Master of Applied Finance and Investment (specialising in Corporate Finance and Advisory) and a Master of Business Law.
For further information about Cybersecurity ACC Australia members can download the key findings from the ACC State of Cyber security report – an in-house perspective from the ACC site. Note ACC Australia members will need to log into the site to access this resource.
 Allianz. Allianz Risk Barometer 2016 - Changes in risk perception [www.allianz.com]. Australia: Allianz [2016 Janaury 13; 2017 January 17]. Available from: (http://www.agcs.allianz.com/insights/expert-risk-articles/changes-in-risk-perception/).
 James Eyers. ASIC says boards underprepared for cyber threat [www.afr.com]. Australia: The Australian Financial Review [2016 September 13; 2017 January 17]. Available from: (http://www.afr.com/technology/asic-says-boards-underprepared-for-cyber-threat-20160913-grfaoc).
 Matteo Tonello. Should Your Board Have a Separate Risk Committee? [https://corpgov.law.harvard.edu]. U.S.: The Harvard Law School Forum on Corporate Governance and Financial Regulation [2012 February 12; 2017 January 17]. Available from: (https://corpgov.law.harvard.edu/2012/02/12/should-your-board-have-a-separate-risk-committee/).
 Fidelis Cybersecurity. Fidelis Cybersecurity Survey Shows Lack of Trust, Limited Visibility and Knowledge Gap between the Board and IT Security Professionals [www.fidelissecurity.com]. U.S.: Fidelis Cybersecurity [2017 January 17]. Available from: (https://www.fidelissecurity.com/newsroom/fidelis-cybersecurity-survey-shows-lack-trust-limited-visibility-and-knowledge-gap-between).