The frequency of successful cyberattacks, a Federal Court decision and changing legislation are together increasing the risk that company directors in both Australia and New Zealand will be held personally accountable for cyber breaches.
In response, global law firm Clyde & Co is calling on company directors to seek advice from insurers and experts to develop robust cyber risk strategies.
The warning comes as the frequency of cyberattacks continues to increase. According to a recent report from the international insurance group Hiscox, two-thirds of organisations globally have seen an increase in cyber incidents over the past 12 months compared to last year.
Anthony Cooke (pictured above) is a Clyde & Co partner who specialises in cyber and data issues. Auckland-based Cooke said in the wake of the ASIC v RI Advice case in Australia, there is a precedent for regulatory bodies in both countries to pursue claims against directors who neglect their obligations to manage cyber incidents efficiently.
“What's changed is that cyber is now a business risk and directors are expected to respond to the cyber security risk in line with any other business risk,” he said.
Cooke said this case has added another layer of responsibility for directors in the context of corporate governance.
“They [directors] need to be able to demonstrate that they're acting in good faith and taking proper duty of care to cyber risk, just like they do with financial risk, ethics risk and other more commonplace issues,” he said.
Some industry stakeholders see the ASIC v RI Advice case in 2022 as a landmark ruling.
Australia’s Federal Court found, according to an ASIC media release, that RI Advice, “breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.”
“What really influenced the regulators’ response was a number of small incidents leading up to it that together created a bigger issue,” said Cooke. “It showed that there was a pattern of behaviour here and that more could have been done to take reasonable steps to protect the organization's cyber security profile.”
“The really key point is that compliance with cyber security and privacy and data protection obligations is very systems based,” said Cooke. “You really need to document that you've thought about the issues ahead of time and you've put the systems and controls in place.”
The Clyde & Co expert said “ultimately,” its down to company directors to make sure those systems are in place.
He said New Zealand’s regulatory landscape differs to Australia’s but the underlying duties of directors remain “fundamentally similar across jurisdictions.”
“A lot of the directors’ obligations in New Zealand are set out in the Companies Act 1993,” said Cooke.
He said this Act doesn’t explicitly take into account cyber risks but is currently under review.
In August, New Zealand’s government announced its intention to reform the Companies Act “to help make sure the rules governing companies are clear, workable and fit for purpose.”
Cooke said by drawing parallels between the duties of directors in Australia and New Zealand, regulatory bodies can argue that directors have a duty to adequately manage cyber risks to ensure the fair and orderly operation of their sectors.
“In today's landscape everyone should expect that they are going to get hit by a cyber incident - so in terms of what you’re going to be judged on, it’s more about what you do beforehand,” he said. “A lot of organisations are taking good steps but still, there are some organisations where directors probably still ring fence cyber security into an IT box.”
He encouraged company directors to seek out the experts.
“The point is there are learnings, takeaways and experts in this space,” said Cooke. “The insurers have been aware of these risks for quite some time and there is a roadmap to success.”
He said its important for directors to know who the firm works with to resolve cyber risks.
“So who do you pick up the phone to in the event of an incident to make sure that you stay out of that regulator spotlight and really respond to an incident in the best way possible?” Cooke said.
Do you have a cyber risk management plan? What was the first big step you took to develop it? Please tell us below