ASIC's increased focus on cybersecurity increases class action risks for companies and directors, according to law firm Minter Ellison.
As global companies rely more on digital services in their businesses, those services have become increasingly targeted by sophisticated cybersecurity attacks. An attack may cause significant harm to a company's customers, the credibility of its directors and even to the confidence of Australia's financial markets.
Cybersecurity risk is very much at the forefront of the minds of corporate Australia, especially given recent events. Recognising and managing risk is a crucial part of a company director's role and a failure to appropriately address cybersecurity risk will likely increase a company's (and potentially its directors') risk exposure, which may include the risk of:
(a) ASIC enforcement action; and
(b) Class actions against the company, or its directors.
We explore ASIC's recently increased focus on the cyber resilience of Australian companies, the potential class action risks and recommendations for directors in potentially mitigating those risks.
For completeness, the Attorney-General, Mark Dreyfus, tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) in Parliament last month. If passed, the Bill will significantly increase maximum penalties for any "serious or repeated breaches" of the Privacy Act 1988 (Cth) and provide the Office of the Australian Information Commissioner (OAIC) with increased breadth, and scope of powers to conduct assessments of cybersecurity incidents, undertake enforcement action and seek appropriate relief if required. The Bill does not provide a new cause of action in relation to data breaches.
While the Bill (and its implications) are beyond the present scope of this article, we are nonetheless closely following developments in this space, particularly as the Government has foreshadowed further privacy reforms.
ASIC's increased focus on cyber resilience
Cyber has been specifically identified as one of ASIC's strategic priorities for the next four years in its latest corporate plan released in August 2022. Throughout 2022, ASIC gradually increased its focus on the cyber resilience of Australian companies, particularly those which provide financial services (given the potential systemic consequences of a cybersecurity incident for Australia's financial markets) and released numerous articles about its expectations of companies' cyber resilience.
ASIC has demonstrated its appetite to commence proceedings against companies which fail to adequately manage cybersecurity risks. In the recent Federal Court of Australia decision of ASIC v RI Advice Group Pty Ltd [2022] FCA 496 (RI Advice), an Australian Financial Services (AFS) licensee was found to have breached obligations under s 912A(1) of the Corporations Act 2001 (Cth) (Corporations Act) by failing to have adequate documentation and controls in place to manage cybersecurity risks.
While this was in respect of an AFS licensee, more broadly it shows that ASIC will take enforcement action against companies which may have insufficient measures and practices to adequately protect against cybersecurity risk.
Class action risk
With the increased focus by ASIC on the cyber resilience of companies, litigation promoters (such as litigation funders and plaintiff law firms) will undoubtedly also be closely analysing movements in this space to determine whether there are grounds to bring a class action against a company, or its directors. Recent events have demonstrated a willingness for plaintiff class action law firms to consider bringing such actions relatively quickly following a cybersecurity incident, in light of high-profile data breaches in the telecommunications and healthcare sectors.
There are several class action risks of which directors should be aware:
(a) If customer or employee information is compromised in a cybersecurity incident, companies may be exposed to claims from its customers or employees, for breach of confidence, breach of contract, misleading and deceptive conduct, or invasion of privacy. In 2017, a class action was filed against the Health Administration Corporation on behalf of all NSW Ambulance employees and contractors whose information was compromised in a large data breach, making (among other things) each of those claims. A settlement was reached and approved by the court in December 2019, with each group member receiving approximately $2,400. Numerous cyber-related class actions have also commenced in the US and the UK based on similar fact patterns and allegations, and there is a real prospect that these types of class actions may be replicated in Australia. Even if monetary loss has not (yet) been suffered by customers or employees as a result of a data breach, companies may nevertheless still be exposed to other claims, such as damages for emotional trauma or exemplary damages.
(b) If the company is listed on the ASX, a cybersecurity incident may also give rise to an obligation to make a disclosure to the ASX, pursuant to Rule 3.1 of the ASX Listing Rules. A failure to do so may increase the risk that a class action could be brought against the company alleging a breach of continuous disclosure obligations. This is because a cybersecurity incident (such as a privacy, security or data breach) may expose a company (and in some cases, its directors) to significant financial and non-financial losses, which is likely to be considered material information pursuant to the rules.
(c) Companies may be more exposed to class action risk if they make generic or broad representations to the market regarding the capability of their risk management systems (including their management of cybersecurity risk) which may be seen as over-exaggerating their ability to monitor, report and comply with the relevant regulatory requirements. We have seen several recent instances where class actions have been filed against companies which experienced significant share price declines following the release of news, which put squarely into question the adequacy of their risk management systems, in circumstances where they made prior positive representations about their systems. In the event a cybersecurity incident occurs and the share price of the company reacts negatively to that news, there is a real risk that shareholders may commence a class action against the company alleging that the company misled the market by making such representations.
(d) Finally, companies with a lack of adequate documentation and controls in place to manage cybersecurity risks may both: (i) increase the risk that a class action could be filed against them; and (ii) materially impact their prospects of successfully defending a class action, based on the court's findings in RI Advice. Although RI Advice was in the context of an ASIC investigation, listed companies can expect the same level of scrutiny from litigation promoters if they do find themselves the subject of a cybersecurity incident.
Recommendations for directors
Directors should always have regard to their statutory obligations and in particular, their duties of care and diligence, and of good faith. Depending on the nature of the company, many may also be subject to other obligations, including for example under the Security of Critical Infrastructure Act 2018 (Cth), s 912A of the Corporations Act (as explored in RI Advice), or under APRA’s CPS 234 (Information Security).
More generally, directors need to ensure, among other things, that:
(e) they have a robust understanding of the organisation’s cyber risk posture, including the extent to which the organisation is exposed to supply chain risk, the maturity of the organisation’s understanding of cyber risk, and whether the organisation has sufficient resources deployed to appropriately mitigate cyber risk; and
(f) the organisation has a robust and up-to-date cyber resilience plan in place (as part of the organisation’s broader enterprise risk management plan), which includes:
(i) appropriate cyber security governance and escalation (including to the board);
(ii) the implementation and regular testing of a data breach response plan (which addresses technical, operational, regulatory and insurance issues);
(iii) continually raising cyber awareness and capability across the whole organisation; and
(iv) developing an ecosystem of cyber expertise (including vendors, suppliers and industry specialists).
In addition to the above recommendations, the AICD has recently published its governance principles which can be accessed here. The principles provide a clear and practical framework for directors and their organisations, to assist in building stronger cyber resilience.
While ASIC does not prescribe technical standards, companies should still be familiar with its expectations and recent guidance, to ensure their cyber resilience practices are appropriate and reviewed regularly. Based on our review of ASIC's recent publications and the relevant judicial commentary, ASIC is likely to focus on at least the following:
(g) whether directors regularly reflect on the specific cybersecurity risk profile of the company (given that different companies are exposed to different cybersecurity risks and consequences) and actively consider how to address those risks;
(h) whether directors engage external cybersecurity experts to review and challenge the company's cyber resilience posture; and
(i) whether directors are aware of their potential obligations to report cybersecurity incidents, whether that be to ASIC, to the Office of the Australian Information Commissioner, the Australian Cyber Security Centre, (for financial services organisations) to the Australian Prudential Regulatory Authority, or (where applicable) by way of an announcement to the ASX.
In circumstances where a cybersecurity incident occurs, listed companies and their directors should consider carefully whether they are obliged to make a disclosure to the ASX. Consider reaching out to external experts (both technical and legal) to understand the scope of the cybersecurity incident, in order to assess whether the incident is material information requiring disclosure.
MINTER ELLISON AUTHORS
David Taylor, Partner, Dispute Resolution
Paul Kallenbach, Partner, Head of Cyber Law and Data Protection
Jacky Wong, Senior Associate, Dispute Resolution
Daniel Henningsen, Associate, Dispute Resolution
Latest news
Already a member?
Login to view this content