Speakers
Synopsis
The High Court of Australia (ASIC v RI Group 2022) has affirmed that directors have an explicit duty to manage cyber security risks. Directors are expected to not only manage their cyber security risks but also to build cyber security resilience within their organisations. This directive aligns with the broader duty of care that directors owe to their companies under Australian law. This includes the implementation of robust cyber security measures, continuous monitoring of potential threats, and ensuring that the company's cyber security framework is up-to-date and effective. Directors are expected to be proactive in identifying and mitigating cyber threats, and failure to do so can lead to significant legal and financial repercussions.
Managers, while not bearing the same level of legal responsibility as directors, are expected to actively participate in managing cyber security risks and fostering resilience within their teams. This expectation stems from their role in implementing and maintaining the strategies and policies set by the directors.
In addition to managing risks, directors are also mandated to build cyber security resilience. This means creating a resilient capability that can withstand and quickly recover from cyber-attacks. The court has emphasised that resilience is not merely about having defensive measures in place. It is also about ensuring that there are comprehensive recovery plans and strategies to minimise the impact of any breaches. This aligns with the broader concept of business continuity and disaster recovery planning.
Several notable cases have set important precedents in this area. For instance, in the landmark case of ASIC v Healey (2011), the court highlighted the necessity for directors to have a thorough understanding of their company's cyber security posture. This illustrates that ignorance is not a defence for directors when it comes to cyber security.
Directors are now required to engage in enhanced due diligence when it comes to cyber security. This includes regular audits, penetration testing, and engaging with cyber security experts to ensure that their organisation's defences are robust.
The rulings have also placed a strong emphasis on the need for continuous education and training. Directors must ensure that they and their employees are well-versed in the latest cyber security practices. This involves moving away from ineffective compliance training towards comprehensive skills development programs that equip individuals with the necessary knowledge to navigate the cyber landscape safely.
Directors can be held personally liable for breaches that occur due to negligence or inadequate cyber security measures. Additionally, companies may face substantial fines and reputational damage, further emphasising the need for robust cyber security governance.
