Attention directors of Australian companies: put cybersecurity on the top of your board agenda! If you do not, you run the risk of breaching your directors’ duties.
ASIC has issued many warnings on this matter. Most recently, ASIC Chairman, Joe Longo, reminded the 2023 AFR Cyber Summit that failure by directors to ensure adequate cybersecurity measures are in place “creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”. You may also risk breaching your directors’ duty to act in good faith in the interests of the company.
ASIC’s warnings follow a spate of recent high profile cyberattacks on Australian companies, including Optus, Medibank and Latitude Financial. While those examples involve large organisations, it is important to remember that cybersecurity risk is a matter for directors of Australian companies of all types and sizes, including small and medium size enterprises (SMEs) and not-for-profits (NFPs).
Many of our SME and NFP clients face particular challenges in managing cybersecurity risk: they can have significant constraints on time and resources, and there is no “one size fits all” approach or “fix all” to the issue.
SMEs and NFPs might take some comfort in ASIC’s recognition that an organisation’s cybersecurity risk management should be proportionate to the nature, scale and complexity of the business, though it’s difficult to say how that principle may be applied in practice. For now though, we know that ASIC expects that all directors actively and continuously engage on cyber risk, which must involve, among other things, examining third-party supply chain risk.
By Amy Grondal