Cybersecurity is a national security and corporate imperative, writes David Gonski AC FAICDLife with assistance from Ashurst’s Legal Governance Advisory and Risk Advisory Practices. In this edited extract from his NSW Supreme Court Bathurst lecture, he ponders which mechanisms can give boards much-needed clarity — and security.
In 2021 an Australian organisation suffered a cyber attack every 11 seconds, costing the Australian economy an estimated $42 billion per year. As cybercriminals profit from successful attacks, they continue to invest in technologies, artificial intelligence and machine learning that enables them to grow in sophistication and improve their capabilities to undermine the cyber defences put in their way.
Boards of directors, executive leadership teams, policymakers, regulators and legal systems generally, need to continue to mature and evolve their understanding and governance of, and investment in, cyber risk management and enforcement.
However, the current regulatory framework governing cybersecurity and cyber risk in Australia is fragmented. Cybersecurity laws are a patchwork of conduct- and sector-specific rules and regulations. In the context of cybersecurity and risk, businesses are regulated by the Australian Competition and Consumer Commission (ACCC), Australian Securities and Investments Commission (ASIC), Office of the Australian Information Commissioner (OAIC) and the Commonwealth Director of Public Prosecutions (CDPP). Listed entities are also subject to ASX rules, and financial services entities are governed by the Australian Prudential Regulation Authority (APRA). Australia’s critical infrastructure assets are regulated by the Department of Home Affairs’ critical infrastructure laws.
Where does this leave directors? Very worried. I don’t have the magical answer, but as a director of many companies, I set out below some issues where I do have strong views.
Understanding liability under the Corporations Act
The Corporations Act 2001 sets out a number of obligations on directors and includes penalties for contravention, which are severe and may include imprisonment, significant penalties and/or personal liability.
The Australian landscape in relation to directors’ duties has gradually shifted over time to impose greater personal liability on directors, who are often now judged not on the basis of actual knowledge and conduct, but rather on what they ought to have known or done. This is often quite concerning, as by the time the offence reaches judgement, the expectations made of directors may have changed from the time the event actually took place.
In the area of cybersecurity, and cyber risk, the most relevant provisions in the Corporations Act are sections 180 and 181. Section 180 requires directors to discharge their duties with care and diligence. Section 181 requires them to act in good faith and in the best interests of the company.
Directors who fail to properly consider cyber risks and the cybersecurity of their company, risk breaching their duty of care and diligence. It follows that a failure to implement adequate cybersecurity frameworks to mitigate the risks may result in directors being held responsible for failing to prevent a foreseeable breach. Further, a failure or inaction to uphold cybersecurity best practices may constitute a director’s failure to act in good faith and in the best interests of the company.
This raises the question for directors of how they obtain the necessary cyber literacy to carry out their duties in circumstances where it is widely accepted that cyber risk management is a highly technical area of expertise.
There is no doubt that directors must take a proactive approach to overseeing how cybersecurity is handled within the company. The more difficult question is: how far is the obligation placed upon them to ensure that plans, including business continuity and crisis management, are in existence, able to function and, indeed, work?
Payment of ransomware demands — legal or illegal?
If a company is hit by a ransomware attack and a demand is made, directors are faced with a choice — to pay or not to pay. Although this question seems simple, the decision involves a myriad of complex considerations. If the directors determine to pay the demands, the questions that arise are:
Is it legal to do so?
Will a payment result in the restoration of the company’s access to its systems and prevent disclosure of stolen data?
Will it start an avalanche of further ransomware demands as the criminals then know the company pays ransoms?
The dilemma for the director is very difficult. On the one hand, the payment of the ransom may see an action against the directors by authorities if any part of it is illegal and, in addition, shareholders may sue the directors for failure to act with due diligence. On the other hand, if the board determines not to pay a ransom, shareholder action could still occur through class actions and the like, based on losses of profit for not paying the ransom. There is presently no clear prohibition in Australian law against ransomware payments. However, the actual payment may well be illegal even though such an overall prohibition doesn’t exist. In certain circumstances, making a ransomware payment may constitute an offence for which the company is liable and, in turn, its directors.
The Charter of the United Nations Act 1945 (Cth) (UN Charter) and Autonomous Sanctions Act 2011 (Cth) prohibit making funds or assets available to a sanctioned organisation — set out in the Department of Foreign Affairs and Trade’s consolidated list. Some ransomware participants belong to sanctioned organisations. A company found to have violated Australian sanctions laws may be able to rely on the defence under Section 21 (2E) of the UN Charter if it proves that it took reasonable precautions and exercised due diligence to avoid the contravention.
It is also possible that a company that makes a ransomware payment could be liable under the USA Patriot Act 2001, which has extraterritorial reach and prohibits companies from providing material support to terrorist organisations.
The federal Criminal Code Act 1995 (Cth) also makes it an offence to intentionally provide resources that would help a terrorist organisation involved in a terrorist act — even if the company is merely reckless as to whether the organisation is in fact a terrorist organisation. And if the ransomware funds being paid can be seen to be monies used to commit any crime, then the person paying the money may be liable for a money-laundering offence under Division 400 of the Act.
An interesting argument arises here. If it is a crime to extort money in these circumstances, particularly if critical infrastructure is involved, does Division 400 make it an offence now to pay the ransom as those monies will be used in committing the crime? Defences to Division 400 include duress, “self-defence” and “sudden or extraordinary emergency”.
The major difficulty for directors when considering how to respond to a ransomware demand, is the absence of clear judicial guidance on how courts will interpret and apply the various defences referred to above. Accordingly, the payment of a ransom demand could be one that revisits criminal charges on to a company at a later date.
The policy stance of the Australian government is not to make ransomware payments under any circumstance. Nevertheless, the untested legal environment and lack of clarity draws significant criticism within business circles where company directors with the best of intentions could face criminal liability for the payment of a ransom.
There is considerable argument in favour of the government legislating to make payment of a ransom illegal, except in the most exceptional circumstances where there is a risk to life. To do so would solve the decision for directors and potentially mean that demands on Australian companies shouldn’t be made as frequently, as those making them will know that no payment can legally flow from it.
Some believe this will move the demands towards circumstances where there is a “risk to life”. Others argue that such legislation is too prescriptive, could prevent directors solving a problem quickly and may exacerbate the possibility of losing their systems and/or data. Some also argue that mandatory notification provisions are a better way to focus attention on the problem.
This should be debated more fully. Probably the best solution is to prohibit payments except in designated circumstances, and perhaps to use the panel of experts (see below) as a way of assisting when such exemptions should apply.
Another solution is to stipulate in the Corporations Act that a director will not be liable for an offence for “not paying a ransomware demand”, rather than making the payment specifically illegal. This would mean directors know they have no liability if they decide not to pay — and it follows they have bigger liability if they do.
A cyber disputes panel
Cybersecurity is a very specialised area with much technicality, which is developing quickly. Any delays in decisions can be expensive and potentially dangerous. This has made me consider the virtue of establishing a cyber panel. Its purpose would be to make decisions in specified circumstances and to make them quickly, bringing specialisation and technical knowledge to bear. This could be modelled on the Takeover Panel, a peer review body comprised of part-time members appointed from the takeover advisory and business community.
There are a number of examples where such a panel could have jurisdiction. The first is to assist in helping the relevant minister to authorise the Australian Signals Directorate to intervene in the operation of critical infrastructure assets where there is a serious cybersecurity incident impacting those assets.
Powers the minister has to authorise actions in these circumstances include:
- Giving direction to a specific entity for the purpose of gathering information
- Giving specified directions to an entity to do one or more things to respond to an incident for an entity to take actions
- Requesting an authorised agency (ASD) to provide specified assistance and cooperation to respond to the incident.
The minister has step-in powers where an entity is “unwilling or unable” to comply with a direction or authorisation in relation to a cyber incident affecting critical infrastructure assets. The panel could provide an urgent avenue of appeal to endorse or otherwise whether the minister should actually do so.
Given the far-reaching nature of the minister’s powers — and that the judicial review of the minister’s decisions are expressly excluded in the legislation — further protection of the legitimate interests of the entity could be provided by allowing the cyber panel the power to urgently review the minister’s decision. The benefit would be to prevent unwarranted encroachments on the freedom of business made by legislation such as this — there would be an avenue of appeal previously denied.
From the minister’s point of view, although he or she would lose the absolute authority of the Act, they would instead gain the opportunity of outside review on an urgent basis by those equipped to do so, potentially preventing adverse criticism and possible court actions being taken against the minister at a later date.
The cyber panel could also have input in determining whether a ransomware demand can be paid in circumstances where the government comes to the conclusion that ransomware demands should not be paid unless there is risk to life or other mitigating circumstances. The cyber panel could make the determination on the application within a period of 24 hours, or shorter, thereby protecting directors and the corporation from breach of that legislation and from claims in respect of their dealings in that regard.
The cyber panel may also have a role to play in relation to standards. If standards are indeed put together, and if it flows as I suggest below, that directors who have achieved that minimum standard have some protection through safe harbour or general law — the panel could be approached where the standards are not clear or there is a need for a determination of what is required. The panel also could be an avenue for extension of the standards in certain circumstances.
Cyber safe harbour
Immense obligations on directors give rise to the question of whether some sort of “safe harbour” or “business judgement” rule should be sought and given to directors. By this term, I refer to rules which, if adhered to, provide an excuse or exemption to the obligations otherwise placed on the director.
The advantages are obvious. First, it may remove a developing deterrent to potential excellent candidates joining boards. Without such a safety valve, potentially good board candidates are increasingly preferring to become advisory board members only, or stick to non-listed entities. Second, depending on how the safe harbour is drafted, it can assist in directing how the board should handle these matters and give further insight into what is expected of them.
Other countries have made some inroads in developing statutory cybersecurity defences. Although there are substantial variations between the relevant defences, all have one thing in common — they require evidence of compliance with either a particular cybersecurity standard/framework, or a standard/framework that is “reasonable”.
In the US, Ohio was the first state to pass the cybersecurity affirmative defence in 2018. Connecticut and Utah adopted their Acts in 2021. All three statutes generally encourage companies to develop and maintain a cybersecurity program that conforms to industry standards.
Several American states have proposed similar safe harbour laws. Georgia introduced legislation in 2021, which provides an affirmative defence to cybersecurity liabilities and a “reasonable” framework that takes into consideration the size and complexity of the company and the sensitivity of the information protected.
I believe directors should seek and welcome the introduction in Australia of a cybersecurity safe harbour provision. In saying this, I note that some question the fairness of safe harbour provisioning. This is based on the contention that the onus shifts from the plaintiff/prosecution to the defence with a safe harbour provision. They argue: would it not be better for those having to prove the offence to have to also prove that the safe harbour provisions do not apply? I see the logic in this argument, but note a shift in onus is not as bad as not having the provision at all. I would welcome the requirement for this safe harbour exception being potentially that the corporation has met designated public standards provided these are clear, kept up to date and reasonable.
The absence of a safe harbour provision undoubtedly will leave the interpretation of the fairly onerous provisions placed upon directors difficult to fathom in an area that is growing quickly. The liabilities of corporations and their directors, established well before the coming of cyber and its related technologies, stand to make directors and corporations potentially liable in many circumstances. One of the biggest risks is that the area is developing so quickly that what directors believe is normal and sufficient at the time of a breach may well be almost totally forgotten in months, if not years later, when the dispute concerning that event comes to litigation.
The essence of my message is that this is an area that regulators, lawyers and those practising in the field need to grapple with quickly. Minds more involved in the area than mine will have more to add. If focus is not urgently brought to bear on this, at the very least, good potential directors will fear getting involved in corporations. And, which may be even worse, the fear of liability will result in normal and proper business risks not being taken for the advancement of the relevant corporations.
The Bathurst Lecture was prepared with the assistance of Rob Hanley, Miriam Kleiner, Maxine Viertmann (Ashurst Legal Governance Advisory), John Macpherson (Ashurst Risk Advisory) and Joshua Smith (Ashurst Board Advisory).
Tips for cyber upskilling
Ultimately, a director must be a generalist first. If they have expertise in an area on top of that, it would be desirable for them to know they are appointed not just for their expertise/specialisation, but for what they bring generally to the board. David Gonski AC FAICDLife outlines five ways boards can augment their cyber capability and knowledge individually and around the boardroom table.
1. Board risk committee
A better solution than introducing a specialist to the board may be to give the role of following developments and information on cyber risk to the board risk committee (and if a separate board risk committee doesn’t exist, to the audit/risk committee) and to place on that committee the experts that can be found either as permanent members of that committee or as consultants to it. The committee being charged with this role can give the necessary focus to it and obtain the outside input that may be required and desirable. The minutes, together with the chair's explanation, should feature, as is normally the case, at each relevant board meeting.
2. General upskilling
Seek to familiarise itself and its various members on the generalities of the cybersecurity problem. This can be done by having cybersecurity as a regular update at board meetings, and as an item of education, at least once a year, when a couple of hours are spent with an outside expert hearing what developments are taking place. Board members should be encouraged to take steps to familiarise themselves with the issues, including attending AICD updates on cyber.
Getting the whole board involved every year or two in a simulation is extremely useful. Not only does this highlight what deficits the board may have in understanding what is going on, but also how personalities around the board table will react to a difficult situation. At the very least, a simulation can show board members what the procedures will be and contest whether the policies and procedures are easy to find, easy to follow and, from the simulation itself, adequate. Many organisations run and/or arrange these simulations professionally and they can be scarily realistic.
4. Monitoring developments
Board members should regularly be sent updates on what is happening in the company, and generally, in the area of cybersecurity. Directors should be encouraged to bring cyber “war stories” to the board table. Sharing them with their fellow directors and management can certainly assist a corporation in getting ready. It is one of the strengths of the non- executive director model that, without breaching confidences, directors can bring experiences to the table from elsewhere.
5. Dedicated discussions
At strategy meetings, management and board should be encouraged to spend time talking about the issue. Preparedness for the inevitable is one part, the other is using it as an opportunity for all to bring their combined knowledge and capacities to ensure their corporation is as ready as it can be.
Practice resources — supporting good governance
The AICD has a number of resources available to members and the public on cybersecurity governance.
The AICD online course The Board’s Role in Cyber will help experienced board directors gain the knowledge and confidence to assist in preparing a robust strategy to manage a cyber threat effectively.
Additionally, the AICD offers the following member-only director tools relevant to cybersecurity governance:
- Information technology governance
- Managing a data breach: Ten oversight questions for directors
- Data and privacy governance
In coming months, the AICD will be expanding its guidance for members through the joint publication, with the Cyber Security Cooperative Research Centre, of the Cyber Security Governance Principles. More details will be available in future editions of Company Director magazine.
Already a member?
Login to view this content