Are directors’ duties in need of a cyber-uplift?

This article was co-authored with Ella Logan.

Summary

In support of its goal of establishing Australia as a leading digital economy by 2030, the Australian Government has recently launched a public consultation outlining options for regulatory reforms aimed at increasing Australian business’ investment in cybersecurity. Paired with potential incentives, the paper explores three areas of action: setting clear cyber minimum security expectations; increasing transparency and disclosure; and protecting consumer rights.

Why?

In response to increasing ransomware attacks, threats to critical infrastructure and state-sponsored hacks, the paper highlights the Government’s perception that the current incentives and penalties are not effective in persuading corporate Australia to invest sufficiently in cybersecurity. It suggests that Government action is required to drive the adoption of good cybersecurity practices and encourage businesses to better manage cyber risks.

The paper seeks to address ‘key market failures’ such as weak commercial incentives for businesses to prioritise cybersecurity and associated investments, and the difficulty of competing for consumers on the basis of cybersecurity differentiators meaning that cyber risks are often transferred (unknowingly) to consumers.

Impact on Australian Businesses

If implemented, the impact of these proposals could be significant on businesses and company directors. Mandatory governance standards, voluntary incentives and amendments to the regulatory framework are proposed. Most noteworthy amongst these options include:

• introducing enforceable minimum cybersecurity governance standards, potentially by amendment to the Corporations Act 2001 (Cth). Whilst the paper does not explicitly call for a new director’s duty in relation to cybersecurity, it may in fact foreshadow the introduction of personal liability on directors for cybersecurity breaches. 
• new mandatory cybersecurity risk management obligations for businesses not covered by existing sector-specific cybersecurity regulations. This applies to the vast majority of Australian businesses and would potentially introduce an onerous and costly compliance burden.
• reform of related legislation, such as the Privacy Act 1988 (Cth) (Privacy Act), to create clear, consistent and enforceable cybersecurity rules that apply to all Australian businesses. This reform includes establishing an enforceable code under the Privacy Act to regulate the protection of personal information.
• promoting consumer awareness of product security by requiring security support expiry date labels for consumer smart devices. Companies affected should consider the direct cost impact of multiple years, post-sale, of ongoing cybersecurity threat analysis and systems patching support on the financial viability of their consumer smart devices.

Next Steps

We recommend engaging with the consultation to ensure that the outcomes are balanced and achievable for your business. Interested stakeholders have until 27 August 2021 to make a submission. Priority areas to consider include:  

1. are mandatory governance standards required to promote cybersecurity risk management, or, are there more efficient and less burdensome methods of achieving this policy objective, including industry self-regulation?
2. could tax policy be more effectively used as an investment incentive strategy to combat the apparent lack of “widespread adoption of effective cyber risk management by businesses”? 
3. what other market dynamics and policy choices could improve Australia’s cybersecurity position, such as Government-led education programs to redress consumer imbalance in this area?
4. does the paper adequately consider digital supply chain issues and Australia’s position in the global data and cloud computing economy?
5. should the security of personal information be subject to a separate regime outside of the Privacy Act, or should the Privacy Act be a single omnibus law dealing with all matters relating to personal information, including security?
6. how, if at all, the Positive Security Obligations included in the tabled reforms to the Security of Critical Infrastructure Act 2018 are different from, and act in addition to, these proposed changes. Is there a risk of over-regulation?   
7. have changing regulatory, judicial and stake-holder expectations in the first half of 2021, in addition to the heightened threat environment, already caused business to re-assess cyber-risk management? Are the suggested changes actually necessary at all?

The Australian Government’s consultation paper can be found here.