King and Wood Mallesons: International comparison of cybersecurity obligations

The AICD commissioned King & Wood Mallesons to analyse and compare existing and proposed cybersecurity obligations in Australia against those in North America, the European Union and the UK.

1. Comparing Australia’s cyber landscape

The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation.

The federal government is developing its 2023–30 Australian Cyber Security Strategy — exploring a range of policy options and considering new and enhanced obligations for Australian entities and directors to specifically address cybersecurity risks and consequences.

To contribute to this discussion, the AICD asked King & Wood Mallesons (KWM) to analyse existing and proposed cybersecurity obligations in Australia against those in North America, the European Union and the UK.

This survey highlights the significant resources and attention governments internationally are devoting to combating cyber threats. Companies and boards need to play a proactive role, cognisant that among the proposals mooted in the discussion paper shaping the federal government’s 2030 strategy is consideration of an additional specific cyber duty for directors.

2. Key findings and implications

• There are no specific cybersecurity duties imposed generally on directors in Australia, the US, Canada, the European Union and the UK.
• However, there is a growing trend to impose specific cybersecurity responsibilities on directors under industry-specific regulatory frameworks.
• Critical infrastructure is a dominating focus of cyber regulatory reforms. Australia currently imposes comparatively stronger cyber-specific obligations on directors in respect of critical infrastructure or systems of national significance.
• Significant new cybersecurity regulatory developments are expected in each jurisdiction as countries grapple with cybersecurity threats and risks. All surveyed jurisdictions recently have, or are currently upgrading, elements of cyber and privacy-related regulations.

3. Governance and board accountability

(a) Finding: There are no specific duties imposed generally on directors in relation to cybersecurity.

• As a general proposition, none of the jurisdictions surveyed has yet imposed a specific duty on directors generally to ensure the cybersecurity of their organisations.
• However, in each jurisdiction, directors owe general duties of care, skill and diligence. This means that directors should be capable of satisfying themselves that cyber risks are adequately addressed.
• We see a trend of increasing governance implications and accountability for boards and management in particular industry sectors, especially critical infrastructure.
• Other significant sectors — particularly financial services and telecommunications — are also subject to sector-specific cyber obligations. In some jurisdictions, there are similar specific regulations imposed on, or proposed for, the transport, health and AI industries.

(b) Finding: There is increasing scope for actions directly against directors.

In the US, there is a strong precedent of cybersecurity-related class actions being brought against boards and officers. In the EU and the UK, there is also clear scope for data subjects to claim compensation from directors, given that “natural persons” can be liable for breaches of the GDPR (General Data Protection Regulation) or UK GDPR.

There is far less precedent for direct actions against directors in Australia and Canada in relation to cybersecurity. This could change in Australia following the Privacy Act review proposals to introduce a direct right of action for individuals for privacy breaches, and a statutory tort for serious invasions of privacy.

4. Sector-specific cybersecurity obligations

Finding: In general, stronger sector-specific cybersecurity obligations are being introduced to address supply chain and national security cyber risks.

• Australia’s cyber-specific obligations for critical infrastructure and systems of national significance on directors are currently stronger than surveyed jurisdictions.

Critical infrastructure is a dominating focus of cyber regulatory reforms across all surveyed jurisdictions:

• In Australia, the ongoing reforms to the Security of Critical Infrastructure Act 2018 (Cth) are central to Australia’s national strategy to strengthen cybersecurity. At present, obligations are imposed on responsible entities for critical infrastructure assets in relation to reporting, notification, government assistance, risk assessment and planning.
• US federal regulation of critical industries is trending in a broadly similar direction to Australia in relation to reporting and incident notification. Its ambit is otherwise comparably limited.
• Canada’s security of critical infrastructure regime is in nascent stages. Although a cybersecurity bill is proposed, there is currently no legislation that applies specifically to Canada’s critical infrastructure.
• The EU and UK have advanced, comprehensive frameworks regulating cybersecurity of critical infrastructure. In both jurisdictions, essential services operators must take measures to detect and manage security risks and notify relevant authorities about incidents.

5. Cyber intelligence-sharing mechanisms and frameworks

Finding: Stronger multidirectional information-sharing mechanisms are expected across jurisdictions.

In each jurisdiction, there is a range of mechanisms and frameworks to facilitate intelligence sharing and cyber support in relation to cybersecurity threats and incidents. These mechanisms are largely voluntary. As cyber risks continue to grow and affect both governments and companies, there is a focus on increasing the speed and scale of cyber intelligence sharing and cyber threat blocking.

6. International coordination for cyber incidents

Finding: There is increasing international coordination in response to cyber incidents.

Recognising international coordination’s value in addressing and responding to cyber incidents, there is increasing effort to scale collaboration among the international community. For example, partnerships such as the Counter-Ransomware Initiative, the Quadrilateral Security Dialogue (Quad) and AUKUS allow Australia (and other comparator jurisdictions) to:

• Share cyber threat information
• Exchange model cybersecurity practices
• Compare sector-specific expertise
• Drive secure-by-design principles, and
• Coordinate policy and incident response activities with its international counterparts.

7. Future directions

Finding: Significant new cybersecurity regulatory developments are expected in each jurisdiction as countries grapple with cybersecurity threats and risks.

Clearly, the international cyber regulatory landscape is in a state of flux. However, in general, the surveyed jurisdictions share common cyber policy objectives to Australia. Each jurisdiction is implementing regulatory reforms to make them more cyber-secure and cyber-resilient, often in a way that is increasingly consistent. This is to be expected, given the global nature of cybersecurity risks and the natural convergence of policy outcomes and mechanisms to address them.

Implications for directors

This survey reveals trans-national resolve to fight cybercrime’s threat to privacy and prosperity, and recognition of the importance of cooperation between stakeholders to prevent and manage incidents. It also shows an increasing trend towards imposing greater responsibilities on boards and management to ensure the cybersecurity of their organisations in critical industries.

However, recent Australian government criticism of corporate responses to data breaches, and the question in its strategy discussion paper — Should the obligations of company directors specifically address cyber security risks and consequences? — suggests that the Australian government, at least, is considering broadening these obligations beyond critical industries. However, section 180 of the Corporations Act 2001 (Cth) requires directors to discharge their duties with reasonable care and diligence, which we argue already requires them to take steps to ensure mitigation and management of cybersecurity risks.

What we think would most assist directors, companies, government agencies, small and medium businesses is clear guidance on what “good” looks like, and how to actually achieve it. The AICD’s Cyber Security Governance Principles is highly recommended as a valuable starting point for anyone coming up the curve on cybersecurity governance.

This article first appeared under the headline ‘The Global Quest for Cybersecurity’ in the June 2023 issue of Company Director magazine.