Should Directors be Liable for Cyber Breaches?

What are Directors Duties?

Company directors have duties imposed on them under both the Corporations Act 2001 (Cth) (Act) and common law, which ensure that they are acting ethically. These include duties for directors to:

• act for a proper purpose;
• act in good faith;
• act with care and diligence;
• avoid conflicts of interest; and
• prevent insolvent trading.

In the past, directors’ duties have usually included keeping adequate accounting records for the company or not trading while insolvent, however, there has been a move to include duties relating to cybersecurity. This would mean that, in circumstances where a director could have protected the company further with respect to a cybersecurity breach but failed to do so, the director could be found to be in breach of their directors’ duties.

This is particularly relevant with the Australian Securities and Investment Commission (ASIC) preparing to strike back against directors as evident at the Australian Financial Review Cyber Summit held on 17 September 2024.

 

A Case Study: ASIC v RI Advice Group Pty Limited [2022] FCA 496

RI Advice Group Pty Limited (RI Advice) holds an Australian Financial Services Licence and is a Financial Services Licensee pursuant to section 761A of the Act.

On 5 May 2022, the Federal Court of Australia declared that RI Advice Group Pty Limited (‘RI Advice’) breached sections 912A(1)(a) and (h) of the Act by failing to implement adequate cybersecurity documentation and controls. Despite suffering nine cybersecurity incidents between 2014 and 2020, including hacking and phishing attacks, RI Advice did not promptly adopt recommendations from independent cybersecurity experts. The court highlighted that cybersecurity risks are evolving and require ongoing management. As a result of the declaration, RI Advice was ordered to enhance its cybersecurity measures and contribute to ASIC’s costs.

Decision

The Federal Court found that RI Advice’s cybersecurity practices were insufficient, noting failures in areas such as anti-virus software and multi-factor authentication. Although the Court did not impose penalties, the decision clarified that licensees now have clear statutory obligations under the Act regarding cybersecurity.

Takeaway

In light of the Federal Court’s decision, licensees must prioritise cybersecurity as an essential component of their corporate governance. Implementing robust cybersecurity policies, conducting regular threat assessments, and ensuring ongoing employee education are vital steps to mitigate risks.

As ASIC enhances its regulatory oversight, failure to comply with these obligations could lead to significant legal and financial consequences, reinforcing the need for comprehensive cybersecurity strategies across all levels of the organisation.

 

Conclusion

Directors and licensees should be aware of the threat of cyber-attacks and take precautionary steps to prevent them from occurring. If you are unsure about whether your company is taking reasonable steps, please reach out to our lawyers at Chamberlains Law Firm who can assist you to ensure that you are mitigating the risk of a cyber-attack.

 

*This article was prepared with the assistance of Grace Tully