A new cyber strategy consultation raises important issues for directors, the Privacy Act 1988 review proposes major changes to the law, and ASIC launches its first case against directors for breaches of whistleblower protections, writes Louise Petschler GAICD.
Cyber Security Strategy: 2023–30
Cyber security continues to dominate risk discussions in the boardroom (see story p52) as well as regulatory debate by policymakers. Last year, Minister for Cyber Security Clare O’Neil appointed a Cyber Security Expert Advisory Board to guide development of a refreshed Australian Cyber Security Strategy 2023–30. The board comprises chair Andrew Penn AO (former Telstra CEO), Air Marshal Mel Upfeld AO DSC and Rachael Falk MAICD (Cyber Security Cooperative Research Centre CEO).
The board recently issued a discussion paper on key issues under consideration. Several of the consultation questions are directly relevant to boards and governance:
- Should Australian directors have (new) specific director cyber duties?
- Should Australia have a stand-alone Cyber Security Act?
- Should Australia ban cyber ransom payments?
- What opportunities exist to harmonise existing regulatory and legal obligations?
- Is a “safe harbour” needed to support sharing of information with regulators, defence and law enforcement in the event of a significant cyber security incident?
In launching the new strategy, the minister set a national goal to make Australia “the world’s most cyber-secure nation” by 2030.
One of the AICD’s key messages to policymakers — the need for a national, collaborative approach on cyber security — is reflected in the expert panel’s introduction to the discussion paper.
“If we are to lift and sustain cyber resilience and security, it must be an integrated whole-of-nation endeavour. We need a coordinated and concerted effort by governments, individuals and businesses of all sizes.”
The AICD is contributing to the consultation. Members can contact email@example.com to share their views.
The AICD’s general view to date is that cyber security falls within existing directors’ duties and obligations under common law and the Corporations Act 2001 (Cth). This includes the duty to act with care and diligence, which requires directors to guard against key business risks. In practice, this requires directors to stay informed and apply an inquiring mind to the organisation’s activities and policies, to test information presented by management and to proactively consider what other information they require. This applies to a wide range of risks including cyber security. Other existing duties, including the duty to act in the best interests of the corporation, are also relevant.
In October 2022, the AICD, in partnership with the Cyber Security Cooperative Research Centre, released Cyber Security Governance Principles.
The Principles draw on the insights of senior Australian directors, cyber security advisers and government. They provide a guide for boards to engage with management on cyber security, spot “red flags”, promote an organisational culture of cyber resilience and prepare for significant cyber incidents.
Major changes to Privacy Act
The federal government released the long-awaited recommendations of the Privacy Act review in February. The review proposals, if adopted by government, would see a profound shift in how organisations of all sizes manage personal information. They would also change how companies and their officers are held to account for privacy breaches and failures.
The review report contains 116 enhancements or changes to the Privacy Act 1988 plus new obligations.
Some of the substantive review proposals include:
- Removal of the small business exemption (currently businesses under $3m in turnover are exempt from the Act)
- A new direct right of action for privacy breaches
- New enforcement powers for the regulator
- Changes to Privacy Principle 11 — Protection of Personal Information — to clarify “reasonable steps” and include baseline outcomes informed by the new Australian Cyber Security Strategy (see above)
- Broadening the definition of “personal information”
- Establishing a “right to erasure” for Australian citizens.
If adopted and legislated, the review recommendations would bring Australia into closer alignment with the European Union’s General Data Protection Regime.
The proposals would create a far more prescriptive and demanding privacy regime, with a more empowered regulator in the Office of the Australian Information Commissioner (OAIC).
The government is expected to make its formal response by the middle of 2023. The AICD is participating in the consultations and welcomes member views at firstname.lastname@example.org
ASIC launches whistleblowing action
Corporate regulator ASIC has issued a significant report on good practice for handling whistleblower disclosures. Last month, ASIC also launched its first court action under updated corporate whistleblowing laws. In the case, ASIC alleges that TerraCom Limited and its senior company employees engaged in conduct that harmed a whistleblower. ASIC also alleges that the directors and officers failed to take reasonable steps upon receipt of an independent investigator’s report into the whistleblower’s statements, in breach of their duties. ASIC is seeking declarations of contravention, pecuniary penalties, disqualification and costs.
In announcing the action, ASIC deputy chair Sarah Court said, “This is a significant case because it is the first time ASIC has taken action for alleged breaches of the whistleblower provisions”.
Practice resources — supporting good governance
Examples of the AICD’s contemporary governance practice resources for members:
- Cyber Security Governance Principles: Developed by the AICD and the Cyber Security Cooperative Research Centre, the Principles have been recognised by stakeholders as leading practice. More than 16,000 AICD members have downloaded the Principles to date to apply in their own boards.
- Best Interests Duty: AICD’s landmark legal opinion by Bret Walker AO SC and Gerald Ng MAICD, and practice statement on understanding the duty of directors to act in good faith in the best interests of the corporation.
- Effective Board Minutes: AICD and Governance Institute of Australia joint statement on board minutes sets out key issues for all boards to consider.
- Climate Change and Organisational Strategy: This primer by Climate Governance Initiative partner Pollination covers integrating climate change in organisational strategy, including scenario planning, building board and executive capability, and key questions for directors.
Already a member?
Login to view this content