Australia: Cybersecurity and directors' duties – no room for oversight

Protecting personal information continues to grow as an essential function of businesses everywhere – particularly when it comes to sensitive information in sectors such as health and financial services.

According to the World Economic Forum, cyber risk has been recognised as "the most immediate and financially material sustainability risk that organisations face today". A somewhat stark statement.

The Australian Securities and Investment Commission (ASIC) has recently warned directors that a failure to adequately address cyber security risk or comply with relevant disclosure and reporting requirements may be a breach of their directors' duties.

A timely reminder

This comes off the back of a recent Federal Court of Australia decision in which a business in the financial services sector was found to have breached their license obligations after failing to adequately manage its cybersecurity risks. The business was ordered to pay $750,000 towards ASIC's costs. You can have a closer look at ASIC's article here: Be prepared | ASIC - Australian Securities and Investments Commission.

As you can see, it's a clear message from the corporate regulator – "Be prepared".

Ensuring compliance, preventing a breach

According to ASIC, no business is too small for a cyber security strategy.

If your business collects, stores, utilises or discloses personal information, this would be a very good time to look at your systems and processes and ask yourself:

• Do you have appropriate cyber security risk management systems in place, and do they give you enough visibility of cyber risks so you can comply with your disclosure obligations?
• Is there a way of testing and verifying the effectiveness of those risk management systems?
• Are your current cyber security and IT systems adequate to store information securely and protect against third party infiltration?
• Could you promptly identify any data breaches (actual or potential) and satisfy your reporting requirements?
• Do your contracts with IT vendors protect your business by addressing and managing potential security breaches?

Hopefully you are confident the answer to each of these questions is 'yes'.

Cyber risk is, however, an area that continues to evolve, and all businesses and their directors will need to be on a journey of continuous improvement when it comes to cyber security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.