MEDIA RELEASE: The frequency and magnitude of recent cybersecurity breaches in Australia is putting increased pressure on company directors to ensure IT systems and policies are watertight – or face the wrath of the regulators, according to HLB Mann Judd corporate advisory partner, Katelyn Adams.
Ms Adams, who is also a director on a number of listed company boards, said cyber resilience has emerged as the dominant issue facing boards and risk committees.
“Cyber security is unquestionably keeping directors awake at night. Directors need to ensure the technology framework the company operates in is secure. As well as the operational and reputational risk of cyber breaches, there are also significant penalties for those who fail to meet their obligations.
“This is best done by engaging cyber security experts to provide advice and ensure this advice is acted on. The cyber resilience of the company must be continuously monitored, and directors must satisfy themselves that it remains robust.
“In addition, directors should ensure an appropriate data response plan is in place in the event of a data breach,” she said.
In Australia, a broad regulatory framework places obligations on business, and the people who run them, to properly manage cyber risk. Obligations are administered by various government agencies and departments.
In addition, Section 180 of the Corporations Act 2001 stipulates a director must act with reasonable care and diligence, and this could extend to cyber security. A director who fails to do so may be ordered by a court to pay significant financial penalties.
“ASIC’s vision is for Australian markets and systems to be resilient to cyber incidents. ASIC works collaboratively with business, regulators and governments, but has issued clarification to all regulated market participants to ‘address cyber risk as part of their AFSL obligations’.
“ASIC has recently released a number of resources aimed at increasing cyber resilience…it has also made it clear it expects regulated bodies to adequately assess and address cyber risk, and it will treat any breaches accordingly,” she said.
Ms Adams said while cyber security training for directors is yet to be made mandatory, the skills matrix of a board should be continuously reviewed.
“The composition of a board needs to include the right level of knowledge and skills in identifying and managing any potential cyber breaches.
“The use of a trusted cyber security consultant is crucial, as they will provide full feedback to the board. It is then the role of the board to ensure any recommendations have been appropriately acted on and implemented.
“The key for directors is continuous questioning of management as to the robustness of the cyber security plan and assessment of risk. Unfortunately, it will never be 100 per cent unbreachable, however through continued review and assessment, directors can ensure their company remains cyber resilient,” she said.
HLB Mann Judd risk and assurance partner, Kapil Kukreja – who specialises in advising government departments and businesses on matters of cyber security – agrees, and said cybersecurity is ultimately the responsibility of the company board and its directors.
“It’s a governance issue, and shouldn’t be viewed by companies as the exclusive domain of the IT department.
“Given the high-profile nature of recent breaches – and the many, many more that go unreported – company directors have a responsibility to ensure the organisation is as safe-guarded as possible.
“There are now businesses that perform simulated hacks to identify vulnerabilities in tech systems, and directors should be considering this as part of an ongoing assessment.
“Directors need to be aware that hackers are one, two, three steps ahead, and unless they have all the necessary measures in place, they could be held to account by regulators and their shareholders,” he said.
