Cyber sentinel

A new cyber strategy consultation raises important issues for directors, the Privacy Act 1988 review proposes major changes to the law, and ASIC launches its first case against directors for breaches of whistleblower protections, writes Louise Petschler GAICD.

Cyber Security Strategy: 2023–30

Cyber security continues to dominate risk discussions in the boardroom (see story p52) as well as regulatory debate by policymakers. Last year, Minister for Cyber Security Clare O’Neil appointed a Cyber Security Expert Advisory Board to guide development of a refreshed Australian Cyber Security Strategy 2023–30. The board comprises chair Andrew Penn AO (former Telstra CEO), Air Marshal Mel Upfeld AO DSC and Rachael Falk MAICD (Cyber Security Cooperative Research Centre CEO).

The board recently issued a discussion paper on key issues under consideration. Several of the consultation questions are directly relevant to boards and governance:

• Should Australian directors have (new) specific director cyber duties?
• Should Australia have a stand-alone Cyber Security Act?
• Should Australia ban cyber ransom payments?
• What opportunities exist to harmonise existing regulatory and legal obligations?
• Is a “safe harbour” needed to support sharing of information with regulators, defence and law enforcement in the event of a significant cyber security incident?

In launching the new strategy, the minister set a national goal to make Australia “the world’s most cyber-secure nation” by 2030.

One of the AICD’s key messages to policymakers — the need for a national, collaborative approach on cyber security — is reflected in the expert panel’s introduction to the discussion paper.

“If we are to lift and sustain cyber resilience and security, it must be an integrated whole-of-nation endeavour. We need a coordinated and concerted effort by governments, individuals and businesses of all sizes.”

The AICD is contributing to the consultation. Members can contact policy@aicd.com.au to share their views.

The AICD’s general view to date is that cyber security falls within existing directors’ duties and obligations under common law and the Corporations Act 2001 (Cth). This includes the duty to act with care and diligence, which requires directors to guard against key business risks. In practice, this requires directors to stay informed and apply an inquiring mind to the organisation’s activities and policies, to test information presented by management and to proactively consider what other information they require. This applies to a wide range of risks including cyber security. Other existing duties, including the duty to act in the best interests of the corporation, are also relevant.

In October 2022, the AICD, in partnership with the Cyber Security Cooperative Research Centre, released Cyber Security Governance Principles. 

The Principles draw on the insights of senior Australian directors, cyber security advisers and government. They provide a guide for boards to engage with management on cyber security, spot “red flags”, promote an organisational culture of cyber resilience and prepare for significant cyber incidents.

Major changes to Privacy Act

The federal government released the long-awaited recommendations of the Privacy Act review in February. The review proposals, if adopted by government, would see a profound shift in how organisations of all sizes manage personal information. They would also change how companies and their officers are held to account for privacy breaches and failures.

The review report contains 116 enhancements or changes to the Privacy Act 1988 plus new obligations.

Some of the substantive review proposals include:

• Removal of the small business exemption (currently businesses under $3m in turnover are exempt from the Act)
• A new direct right of action for privacy breaches
• New enforcement powers for the regulator
• Changes to Privacy Principle 11 — Protection of Personal Information — to clarify “reasonable steps” and include baseline outcomes informed by the new Australian Cyber Security Strategy (see above)
• Broadening the definition of “personal information”
• Establishing a “right to erasure” for Australian citizens.

If adopted and legislated, the review recommendations would bring Australia into closer alignment with the European Union’s General Data Protection Regime.

The proposals would create a far more prescriptive and demanding privacy regime, with a more empowered regulator in the Office of the Australian Information Commissioner (OAIC).

The government is expected to make its formal response by the middle of 2023. The AICD is participating in the consultations and welcomes member views at policy@aicd.com.au

ASIC launches whistleblowing action

Corporate regulator ASIC has issued a significant report on good practice for handling whistleblower disclosures. Last month, ASIC also launched its first court action under updated corporate whistleblowing laws. In the case, ASIC alleges that TerraCom Limited and its senior company employees engaged in conduct that harmed a whistleblower. ASIC also alleges that the directors and officers failed to take reasonable steps upon receipt of an independent investigator’s report into the whistleblower’s statements, in breach of their duties. ASIC is seeking declarations of contravention, pecuniary penalties, disqualification and costs.

In announcing the action, ASIC deputy chair Sarah Court said, “This is a significant case because it is the first time ASIC has taken action for alleged breaches of the whistleblower provisions”.