Is Cybersecurity a Director’s Responsibility?

You are currently viewing Is Cybersecurity a Director’s Responsibility?
Latitude Financial joins the list of companies affected by data breaches.

The recent hacking of the personal information of 330,000 Latitude Financial customers is just the latest in a series of high profile data breaches.

One aspect that distinguishes this story from other recent hacks such as Medibank and Optus is that Latitude is an Australian Financial Services Licence (“AFSL”) holder.

An AFSL imposes a host of duties on licence holders. The interaction between these duties and cybersecurity was explored last year by the Federal Court in ASIC v RI Advice Group. In that case, the Court made it clear that repeated lax cybersecurity practices – including a lack of up-to-date antivirus software, poor email filtering, inadequate system backups and substandard password practices – could constitute a breach of AFSL obligations.

In its commentary following the case, the Australian Securities and Investments Commission (ASIC) said that it expected AFSL holders to take strategic and operational steps to manage cyber risk. However, ASIC’s focus also extends to all sorts of businesses. In a speech earlier this month to the Australian Institute of Company Directors, ASIC Chair Joe Longo spoke about cybersecurity generally as a board and director responsibility.

Directors’ Duties and Cybersecurity

In discharging their duties, Company Directors are subject to various duties, including a duty to act with care and diligence. This means that they must act with the same care and diligence that a reasonable person in their position would exercise.

Increasingly, directors should expect that a lax approach to cybersecurity will be viewed in the same light as leaving the front door to the office unlocked overnight.

Although directors’ duties are not explicitly linked to cybersecurity, the stepping-stones are probably already in place to allow ASIC or aggrieved shareholders to argue that inadequate cybersecurity amounts to a breach of a director’s duties.

Accordingly, directors of companies of all sizes would be well-advised to consider ASIC’s guidance as a starting point. This includes asking the following questions:

1) Is cyber risk a part of your organisation’s risk framework?

2) Does your organisation have a response/recovery plan, and has it been tested?

3) Do you know how you would communicate with customers and regulators following a breach?

Further introductory material from ASIC can be found here. It should be considered essential reading for all directors.

Contact us here if you’d like more assistance.