The Federal Government’s 2023-2030 Australian Cyber Security Strategy consultation explores a range of policy options to make Australia a world leader in cyber security. Importantly, this strategic consultation considers new and enhanced obligations for Australian entities and directors in relation to cyber security, including the potential for an additional duty for directors that specifically addresses cyber security risks and consequences.
To contribute to this important discussion, the AICD commissioned KWM to analyse and compare existing and proposed cyber security obligations in Australia against those in the United States, Canada, the European Union and the United Kingdom. The analysis focuses on directors’ duties and governance. This article provides a director-specific overview of the findings.
See the full KWM Report here.
The report highlights the significant resources and attention governments internationally are devoting to combatting cyber threats. However, none of the jurisdictions surveyed is yet to impose a specific directors’ duty regarding cyber security. The AICD’s view is that a new duty of the type proposed is unnecessary, given existing duties and sector-specific obligations and should not be the focus of the Strategy.
A new Australian Cyber Security Strategy
In December 2022, the Minister for Cyber Security, the Hon. Clare O’Neil MP, announced that the Federal Government would develop the strategy. The expert advisory board appointed to oversee its development is tasked to ensure Australia has:
- A secure economy and thriving cyber ecosystem;
- A secure and resilient critical infrastructure and government sector;
- A sovereign and assured capability to counter cyber threats; and
- A trusted and influential global cyber leader.
Further detail on the Government’s consultation on the Strategy and the AICD’s submission is available here.
A trending theme - Governance and board accountability
The purpose of the report is to contextualise Australia’s regulatory landscape and the Australian Government’s approach to cyber security and to identify key cyber security regulatory themes trending across relevant jurisdictions.
The full comparison does this around four themes – one of which is governance and board accountability. KWM has found:
- There are no specific cyber security duties imposed generally on directors in Australia, the United States, Canada, the European Union and the United Kingdom. However, in each jurisdiction, directors owe general duties of care, skill and diligence.
- There is a growing trend to impose specific cyber security responsibilities on directors under industry-specific regulatory frameworks.
- Critical infrastructure is a dominating focus of cyber regulatory reforms. Australia currently imposes comparatively stronger cyber specific obligations on directors in respect of critical infrastructure or systems of national significance.
- Across jurisdictions, there is increasing scope for actions directly against directors.
A specific directors’ duty is not required
The survey reveals an increasing trend towards imposing greater responsibilities on boards and management to ensure the cyber security of their organisations in critical industries.
However, recent Australian Government criticism of corporate responses to data breaches and the question in its consultation discussion paper - ‘Should the obligations of company directors specifically address cyber security risks and consequences?’ – suggests it is considering broadening these obligations beyond critical industries. Imposing such a duty would take Australian directors’ duties one step further than the jurisdictions surveyed.
In the AICD and KWM’s view, section 180 of the Corporations Act, which requires directors to discharge their duties with reasonable care and diligence, already requires directors to take steps to ensure mitigation and management of cyber security risks. It is not clear that imposing a new duty on directors relating to cyber security would result in practical differences in how directors manage and ensure the cyber security of their companies. Some may argue that a new duty would mean additional accountability and attention. However, the last three Directions Surveys of directors conducted by KWM shows that cyber security is already recognised by directors as a top or equal top concern for their companies. Imposing a new, specific duty on directors in relation to cyber security seems unnecessary to make directors more aware of the risks.
There is no doubt that companies need to devote the time, attention and resources required to properly manage cyber security risks and their boards have a responsibility to ensure that they do so. However, the reality is ensuring that being completely secure from cybersecurity attacks is extremely difficult in an environment where smart, determined and malicious threat actors are constantly probing for weaknesses in a company’s networks, systems and people.
The strategy presents a prime opportunity to guide directors, companies, government agencies, small and medium businesses on how to manage cyber security risk. Rather than implementing a new directors’ duty that adds little to the existing obligations under section 180 of the Corporations Act, the Strategy should focus on creating practical, meaningful guidance and resources on what best practice looks like, and how to achieve it.
Already a member?
Login to view this content