Directors have a clear obligation and duty to ensure that a company has policies, procedures and systems in place to protect against and react to a cyber security breach.

These obligations can also extend to officers and even shadow directors.

Australian Securities and Investments Commission (ASIC) Chair Mr Joe Longo gave a keynote speech at the Australian Institute of Company Directors (AICD) in March 2024 noting the ever increasing complexities that directors face in ensuring compliance with their duties in the business world.

He stated:

“Let be especially clear here, it is a foreseeable risk that your company will face a cyber attack…as a director you to make it your business to be across questions of cyber resilience and make cyber security a priority. History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility”.

It is clear from those comments and more recent media coverage that directors and officers response to cyber security will become a greater focus for ASIC.

What are your duties when it comes to cyber security?

As a director you have a fiduciary duty to the company which means you must:

• act in good faith
• act honestly
• act in accordance with the company’s constitution
• not use the company’s information and intellectual property for your own or anyone else’s benefit, unless permitted by the company

When it comes to cyber security a director must have regard to their duties in the Corporations Act 2001 (Act).

This duty applies to both executive and non-executive directors as well as officers.

The Act at Section 180 and 181 provides that a director must and with care and diligence  and in good faith.

Section 180(1) of the Act requires directors to exercise their power and discharge their duties with the degree of care and diligence to the standard of what would be expected of a ‘reasonable person’.

The size and nature of the company, the role and responsibilities of the director or officer and the context in which decisions are made will all be taken into account when considering whether this duty has been breached.

Section 180(2) provides that directors will have a defence to a breach of Section 180(1) in relation to their decisions if the decisions were made in the best interests of the company. This is known as the business judgment rule and it protects directors where a decision does not have the required positive outcome but was made in an honest, informed and rational way, which is the equivalent of the similar obligations at common law and in equity.

Section 181(1) imposes on directors a duty to act in good faith in the best interests of the company and prioritise the company’s interests over the directors own personal interests.

What can a director be liable for if they breach their obligations?

A breach of Section 180(1) or 181(1) could result in a penalty of 5,000 penalty units which is currently approximately $1.65 million for an individual.

In addition, there are various statutory penalties such as compensation, a disqualification order or an injunction.

However, a breach of section 181(1) could be considered as a criminal offence pursuant to section 184(1) if the breach is either reckless or intentionally dishonest and attracts a sentence of up to 15 years imprisonment.

What should I do as a director when it comes to cyber security?

First and foremost, you must have cyber security at the forefront of your decision making and thought process as a director and as a board.

It is important to build a cyber resilient culture right through the organisation and that must be driven from the top by the board and the senior executive.

You must have in place a cyber strategy for the company including the relevant policies and procedures surrounding it.

Plan for a cyber event, undertake testing and ensure the people in the organisation understand their roles and responsibilities in regard to cyber training and the event of a response.

Make sure there is continuing learning and training.

It is important to remember you cannot rely on your Directors and Officers insurance as the wording in these polices often provide carve outs for cyber events. Make sure you understand what you are and are not covered for in the event of a cyber security event.

Various studies have indicated that a cyber event can cost small and medium business anywhere from $50,000.00 to up to $5 million in revenue loss, productivity loss, ransoms, legal and mitigation costs, not to mention the reputational issues.

Importantly if you do not have the resources internally to make this happen get external professional help.

One last thought

As someone who sits on various boards in both the profit and not-for-profit sector, I am often asked by other directors and clients – How can I protect myself and my company or organisation?

No matter how many systems etc you have in place there is always the possibility of an attack breaching those systems.

A good friend of mine who is an incredibly experienced director at both an international and national level across a varied number of industries said the questions to ask yourself is-

“Did I do everything reasonably possible to deter a cyber attack in light of all the information and resources available to me as a director?”

How can FC Lawyers help?

At FC Lawyers, our business and corporate team has 30 years of experience advising directors, officers, and boards both in the for profit and not-for-profit sectors across a wide range of industries in relation to their duties not just in relation to cyber issues, but all aspects of corporate governance and regulatory responsibility.

Contact our team today to discuss your cyber security obligations and company policies and procedures.