Directors of corporations are subject to a series of duties owed to the company, shareholders and others that arise primarily under the Corporations Act 2001 (Cth) as well as at common law and in equity. For directors of publicly listed corporations, additional duties may arise under continuous disclosure obligations.
Other laws and regulations may apply to directors and the exercise of their duties, depending on the subject matter (eg notifiable data breaches under the Privacy Act 1988 (Cth)) or industry sector (eg information security obligations of financial institutions under the Banking Act 1959 (Cth)).
Background
Directors of corporations should be mindful of their director duties under the Corporations Act 2001 (Cth) and actively engage with cyber risks within the scope of their role.
Directors of listed companies should also ensure they report any information to the ASX that could have a material consequence on the price or value of the company's securities, pursuant to ASX continuous disclosure obligations.
Since the introduction of the 'Notifiable Data Breach Scheme' under the Privacy Amendment (Notifiable Data Breaches) Act 2017(Cth), in the event of a data breach affecting a corporation, the directors of that corporation should disclose details about the breach if it poses a risk of serious harm to any individual or group.
See A Vamialis, ‘Online Service Providers and Liability for Data Security Breaches’ (2013) 16(11) Journal of Internet Law 23
Under APRA Prudential Standard CPS 234: Information Security (APRA CPS 234) the board of directors of an APRA-regulated entity (including all banks and financial institutions, general insurers and private health insurers) is responsible for:
ensuring the entity maintains information security (and an information security capability) in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity; and
clearly defining the information security-related roles and responsibilities of the board of directors, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.
There are additional security obligations for entities in the financial services sector in existing APRA prudential standards and practice guides relevant to cyber security. These include a notification requirement to APRA for material information security incidents.
Under ASX Listing Rule 3.1, a listed entity must immediately report to the ASX any market-sensitive information that can have a material consequence on the price or value of the securities of that entity (as soon as it is aware or ought to reasonably have been aware).
Section 677 of the Corporations Act 2001 (Cth) requires that the information would, or be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of them. A listed entity must form a view of whether the direct and indirect effects of a data breach satisfies this test prior to notifying the ASX, considering all surrounding circumstances.
A court will generally examine the reaction of the market when considering whether an entity breached its continuous disclosure obligations: see Grant-Taylor v Babcock & Brown Limited (In Liquidation)[2015] FCA 149.
Recommendation 7.2 requires a board of directors/committee of the board of a listed company to review its risk management framework annually and satisfy itself that it ‘deals adequately’ with risks including cyber security, privacy, and data breaches. The ASX Corporate Governance Principles and Recommendations are not mandatory for listed companies, but if not followed the board must disclose why not.
See ASIC Report 429: Cyber Resilience Health Check (2015) - a report that lists the relevant cyber security obligations for the financial services entities it regulates. The report suggests that the provisions of the Corporations Act 2001 (Cth) may require active engagement with cyber risks.
Since its Enforcement Outcome Report (December 2015), ASIC has taken a new enforcement approach when dealing with cyber issues. It is increasingly choosing to accept enforceable undertakings or issue infringement notices in cases of improper conduct, and collaborate with the police to protect investors.
Under ASIC Regulatory Guide 104, entities holding an Australian Financial Services Licence must comply with licensing obligations relating to the security of client records (Regulator Guide, July 2015, RGs 104.93, 104.96).
In its ASIC Enforcement Update (July to December 2018), ASIC emphasised that it is paying particular attention to cyber-related market misconduct facilitated by technology.
act with reasonable care and diligence (including a duty not to make misleading or deceptive announcements to the market);
act in good faith in the best interests of the company;
exercise their powers for the purpose for which they were conferred;
avoid conflicts of interest; and
not improperly use company information or their position to gain an advantage for themselves or someone else, or to cause detriment to the company.
A breach of these duties is a civil offence, but criminal penalties may be imposed where directors are reckless or dishonest in breaching their duties.
Some corporations must disclose risk in annual reports under Part 2M.3, in satisfaction of continuous disclosure obligations for listed companies under Chapter 6CA, and in some fundraising contexts.
Directors have a continuing obligation to be informed about the affairs of their company, which will be influenced by the size and complexity of the company: Daniels v Anderson (1995) 37 NSWLR 438.
Directors may be negligent if they fail to balance considerations of potential benefits to a company with potential risks: ASIC v Maxwell[2006] NSWSC 1052.
Under Part IIAA of the Banking Act 1959 (Cth), authorised deposit-taking institutions (ADIs) must nominate 1 or more 'accountable persons' - either a director or other appropriate senior executive - who is responsible for the conduct of the financial institution's regulatory compliance and reporting to the Australian Prudential Regulation Authority.
Under Part IIIC of the Privacy Act 1988 (Cth), organisations with an annual turnover exceeding $3 million (plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the Notifiable Data BreachScheme. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner (OAIC) within 30 days, and distribute these details to the people at risk of serious harm.
Part VIB of the Privacy Act 1988 (Cth) contains penalties for non-compliance and gives the Commissioner investigative powers.These actions are available against the relevant business entity and against those ‘knowingly concerned,’ such as directors or management.
Case Law
Recent case law demonstrates the growing importance (and accountability) of cyber security for company directors, although to date the issue has rarely been litigated in Australia. Rofe J’s judgment in Australian Securities and Investments CommissionvRIAdvice Group Pty Ltd[2022] FCA 496is relevant in showing potential judicial attitudes, although limited in direct effect as the orders were made by consent. However, the increase in litigation in the United States has raised concern amongst scholars that significant Australian litigation against directors for failure to implement adequate cyber security systems is likely only a matter of time.
Criminal Law
The Criminal Code Act 1995 (Cth) sch 1 criminalises, amongst other things, computer intrusions, unauthorised modification of data, denial of service attacks, creation, and distribution of malicious software, dishonestly obtaining or dealing in personal or financial information, among many other offences ranging in severity, application, and punishment. For more details, see Computer-Based Crime.
The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019, which came into effect on 6 April 2019, added new offences to the Criminal Code. Offences that apply to hosting service providers include the failure to notify the Australian Federal Police within a reasonable time about material relating to abhorrent violent conduct in Australia; and failure to remove access to the content. These offences create an independent incident reporting regime that applies to the cloud computing sector.
Regulatory & Policy Framework
Duty to Report Cyber Security Incidents
The Australian Cyber Security Centre (ACSC) defines a cyber incident as ‘an unwanted or unexpected cyber security event, or a series of such events, which have a significant probability of compromising business operations.’
A number of different bodies set out requirements and guidelines for reporting cyber security events, adding to the complexity of this regulatory space. Notable inconsistencies include the type of information required to be reported and the timing of reporting. Contractual obligations may add to the complexity in circumstances where customers can articulate their own timelines and requirements.
National
Australian Cyber Security Centre (ACSC) The ACSC is the lead Australian government agency for cyber security, and operates as part of the Australian Signals Directorate. The ACSC provides a Cyber Incident Response Plan Guidance and Template for all Australian organisations, which has guidelines for them to develop their own incident response plans. No specific timeframes for reporting are mentioned in these documents. Reports to the ACSC can be made through their ReportCyber portal.
Australian Government Information Security Manual (ISM) The ISM, produced by the ACSC, outlines a cyber security framework that an organisation can apply to protect their systems and data from cyber threats. This uses a risk management framework that includes protection of the cyber supply chain. Cyber security incidents, including unplanned outages, must be reported to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered. Incidents should then be reported to the ACSC.
Australian Prudential Regulatory Authority (APRA) CPS 234 Under section 35, incidents must be notified to APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident or 10 days after becoming aware of a security weakness. The Board and senior management of the organisation must also be notified.
Cyber Incident Management Arrangements for Australian Governments (CIMA) CIMA comes into play for cyber security related crises, or crises with a cyber security element. While CIMA provides Australian governments with guidance on how they will collaborate in response to, and reduce the harm associated with, national cyber incidents, it does not override existing incident response management arrangements of different levels of governments unless circumstances demand it. CIMA encourages all Australian governments, business and the community to report cyber incidents to the ACSC.
Privacy Act 1988 (Cth) Obligations under the Privacy Act and the Notifiable Data Breaches scheme are as discussed above.
Protective Security Policy Framework (PSPF) This framework, managed by the Attorney-General’s Department (AGD), consists of a series of policies providing security guidelines and requirements for contracted and service providers across Australian government. Annual security status reports must be made to the AGD and the appropriate ministerial portfolio. Cyber security incidents must be reported to the Australian Signals Directorate, but additional notifications may also be required to ASIO, the Australian Federal Police, the OAIC and other organisations depending on the nature of the incident. Contracted providers may be required to report security issues even when not immediately relevant to the contract. See for example Policy 5 ‘Reporting on security’ and Policy 6 ‘Security governance for contracted goods and service providers’.
Security of Critical Infrastructure Act 2018 (Cth) (SOCI) Mandatory reporting of cyber security incidents commenced 8 April 2022. Appropriate action must also be taken to address the incident. Incidents must be reported to the ACSC (who will pass them on to the CISC) within 12 hours for critical incidents and 72 hours for other relevant incidents as defined by the Act. If the initial reports were given orally, then a further 84 hours is given to submit a written report for a critical incident, or a further 48 hours for a relevant incident. Penalties apply for non-compliance.
On 6 July 2022, the Minister for Communication made security information obligations requiring carriers and service providers to undertake asset registration and cyber incident reporting. The new conditions import the provisions from the SOCI Act.
State Government
NSW Cyber Security Policy The policy outlines the mandatory requirements for all NSW government departments and public service agencies to ensure cyber security risks to their information and systems are managed. It applies to agency heads and executives, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams. It expressly contemplates the imposition of contractual terms on ‘third party ICT providers’ (which would include cloud service providers) mandating compliance with this policy, and in such cases, it requires (amongst other things) terms that require the provider to have an incident notification process and to follow ‘reasonable direction’ from the government agency arising out of incident investigations.
QLD Information Security Policy This policy provides standards to coordinate reporting and monitoring processes for information security incidents within the QLD government. Incident response activities and threat intelligence must be communicated to the Queensland Government Information Security Virtual Response Team as per the QGEA Information security incident reporting standard. Departments must report immediately for security incidents affecting a system with a medium or high business level impact, and immediately for security incidents affecting multiple systems / departments. All other security incidents must be reported quarterly.
A Ahmed et al, ‘How can organisations develop situation awareness for incident response: a case study of management practice’ (2021) 101 (8) Computers & Security 1, 2-3