10 August 2023
Even though malicious cyber actors seek to exploit system vulnerabilities and steal valuable corporate assets, affected companies are nonetheless no longer perceived by the public, media and regulators to be mere “victims”. Companies are expected to turn their minds to implementing organisational frameworks and strategies to prepare for and manage a cyber incident. From a commercial and legal perspective, it is simply no longer acceptable to relegate cybersecurity to IT departments.
Despite this, many C-suites still prioritise investing in their technical capabilities without developing a wider compliance framework. This is not based on an inadequate appreciation of the seriousness of cybersecurity – indeed, they regard it as a more significant issue than the COVID-19 pandemic, economic volatility and climate change. Rather, their reliance on an ‘outdated’ approach to cybersecurity management is often what leads them to fail to properly adapt to the emerging cyber threat environment, the general features of which are outlined below:
Cyber threat actors | State-sponsored actors, cybercriminals, hacktivists, cyberterrorists, thrill-seekers, insider threats |
Motives for cyberattacks | Geopolitical, profit, ideology, violence, satisfaction, vindication |
Exploitation methods | Malware, phishing, denial-of-service attacks, spoofing, identity-based breaches, code injection, social engineering, supply chain attacks, insider threats, DNS tunnelling, IoT based attacks |
Common attack vectors | Compromised credentials, weak or stolen credentials, unpatched applications or servers, insufficient authentication, phishing emails, psychological manipulation (i.e. impersonation), vulnerability exploits, poor encryption, misconfigurations, exploitations of trust, rogue insider |
Why are ransomware attacks becoming increasingly common? | Lower barriers to entry, more advanced techniques, recognition of its scalability, goal to place pressure on organisational resources, increased data leaks |
Key sectors targeted | Healthcare, finance, insurance, accounting, legal, management, recruitment |
Consequences | Financial, reputational, operational, litigation and regulatory responses |
Directors must ensure that in responding to these threats they discharge their duties with care and diligence and in good faith in the best interests of the corporation.
When a court looks to consider whether directors have failed in their duties in relation to a cyber incident, it would likely give substantial weight to the steps directors took and their preparedness. The directors will need to exercise a degree of care and diligence that a reasonable person would have exercised in her or his position to ‘prevent a foreseeable risk of harm to the interests of the company’.
This may involve an evaluation of the extent to which the directors have:
In order to avoid a claim that the directors have breached their duties under s 180 and 181 of the Corporations Act 2001 (Cth), they will need to establish that they took reasonable steps to ensure that their company properly managed the foreseeable risks to the company from a cyber incident. What is foreseeable will be framed by a wide examination of the general circumstances in which the company operates and the general and specific obligations on the directors.
One relevant consideration will be the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, which recommends that a company’s risk management framework deals with the ‘emerging risk’ of cybersecurity and is reviewed at least annually so that it is appropriate and has proper regard for risks. Recent cases, such as ASIC v RI Advice Group [2022] FCA 496, recognise that cybersecurity risks can be materially addressed through adequate cybersecurity systems, documentation and controls. They also point to an increasing willingness by judges to impose fines and order the implementation of special cyber resilience measures where appropriate.
Amidst this changing environment, the Commonwealth Government is seeking new ways to make it obvious that cybersecurity is part of a director’s responsibility. For example, it is presently considering (in its 2023-2030 Australian Cyber Security Strategy Discussion Paper) introducing specific obligations for directors to address cybersecurity risks and consequences. Further, the Australian Computer Society has suggested imposing criminal penalties on directors who knowingly and wilfully breach privacy laws. Regardless of whether either of these measures are introduced, they point to rising expectations for directors to consider cybersecurity.
A central component of any organisational response to cybersecurity should be a comprehensive and accessible incident response plan that clearly sets out:
Without an incident response plan to refer to, it may be tempting for directors to be reactive in the face of an actual or suspected cyber crisis either by instructing their communications teams to withhold information or to ‘spin’ the situation by publishing ‘good news’ stories. This could contravene certain obligations, for example:
An incident response plan would also create mechanisms for directors to address ransomware attacks, which often require quick and measured responses, including in circumstances where convening a timely board meeting is not feasible.
Organisations face complex considerations in the face of such an attack – on the one hand, the Government advises them not to make ransom payments, and, if they are made, prosecutors may interpret them as either ‘instruments of crime’ under the Criminal Code 1995 (Cth) or in breach of other criminal law provisions. These include anti-money laundering, counterterrorism and sanctions laws, such as under the Autonomous Sanctions Act 2011 (Cth), Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) and Charter of the United Nations Act 1945 (Cth). However, the extent to which making ransomware payments could fall within the scope of these criminal law provisions is presently a legal ‘grey area’ and the courts have provided limited commentary on the application of potential defences in a ransomware context.
An organisation may also be persuaded to give weight to ethical concerns (i.e. threats to life), reputational risks, the likelihood of negotiating lower payment thresholds and other factors such as consequences of data being sold or lost. Given the complexity involved in responding to these attacks, if a threat actor seeks to extort an organisation the last thing their crisis team wants to worry about is under what circumstances they should consult the CEO or the documents they should refer to when making decisions.
Further, the ASX has said that companies can use brief trading halts pursuant to Listing Rule 17.1 to avoid false reporting and obtain information that investors need. An incident response plan would enable companies to be prepared to gather relevant documentation and thereby avoid any allegations of having avoided making timely disclosures of a material cybersecurity incident.
Apart from facing obvious financial and operational strains, organisations that do not have adequate incident response plans and are later subject to a data breach may find themselves at the centre of disputes or investigations, such as:
These now attract maximum penalties of A$2.5 million for an individual and, for a body corporate, the greater of either A$50 million, three times the value of the benefits obtained due to the contravention, or 30% of the body corporate’s adjusted turnover during the breach turnover period.
The Commonwealth Government has indicated in its Privacy Act Review Report that it will only make it easier for individuals affected by data breaches to seek recompense and is placing pressure on companies to cover the costs of compromised personal information such as identity documentation.
One thing is clear: boards must ensure they are agile and prepared for cyberattacks. Effective incident response plans will be very important in guiding any organisational ship through the murky waters of evolving cyber threats and regulatory abrasiveness.
[1] Both ASIC and the ACCC have recently demonstrated they have the ‘teeth’ to engage with cyber issues. ASIC may, for instance, bring stepping stones actions in serious cases where a director both (a) fails to exercise the degree of care and diligence that a reasonable person would have exercised in their position, and (b) causes the organisation to contravene the law where it was reasonably foreseeable that their actions would bring harm to the interests of the organisation.
Staying at the forefront of change in an evolving legal landscape
View insight collectionAuthors
Head of Technology, Media and Telecommunications
Partner
Partner
Lawyer
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
Head of Technology, Media and Telecommunications