Cyber Security And Corporate Responsibility
The Australian Cyber Security Centre received more than 67,500 reports of cyberattacks in the 2020-2021 financial year. When these malicious hackers target companies, they can gain access to alter, use or destroy sensitive and confidential information, extort funds from users, or interrupt normal business operations. All companies should be proactive about cybersecurity in their own commercial interests. However, some Australian companies have a legal responsibility to maintain cybersecurity. Under these obligations, a company must protect their networks, systems and programs from digital attacks. This article explains a company’s legal responsibility to address cybersecurity.
Good cyber security practices promote a culture of trust and accountability and are a cornerstone of any well-run business. Clients and customers need to feel safe handing over their sensitive data to businesses. However, Australian companies that collect or keep consumer financial data have a legal responsibility to safeguard against cyberattacks. As the Australian Securities and Investments Commission (ASIC) noted in its 2015 Report, regulated companies must address the rising threat of cyber risk as part of their corporate obligations.
ASIC provides guidelines to companies and organisations on good cyber security practices. These guidelines recommend that the board of directors have direct oversight of cyber security. Company directors should conduct a periodic review of their cyber strategy, keep cyber security procedures and policies up to date, and implement third-party risk management and continuous monitoring systems.
Notifiable Data Breaches Scheme
The Office of the Australian Information Commissioner (OAIC) recommends corporations have a response plan for assessment, containment and management of data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2017 requires companies to notify OAIC of any data security breach that is likely to cause serious harm to individuals. The Notification must include the organisation’s contact details, the type of data accessed, and recommendations for a response to the data breach.
Cyber security Case Study
ASIC v RI is a landmark case for the Australian Securities and Investment Commission. This is the first time that ASIC has initiated legal proceedings for a contravention of AFS licence holder obligations due to deficient cyber security practices. In August 2020, ASIC commenced Federal Court proceedings against RI Advice Group, a former subsidiary of ANZ bank. ASIC accuses the financial services company of contravening its risk management obligations under the Corporations Act 2001.
RI Advice Group experienced cyber breaches between 2016 and 2020, including unauthorised access to emails and ransomware hacks of company computers. As a result of one of these cyberattacks, computer files were encrypted, rendering them inaccessible. In another incident, cybercriminals gained unauthorised access to sensitive client information on company servers for six days. The company failed to detect the breach for three months. During this time, the company received cyber security reports that flagged the need for stronger password security (including multi-factor authentication). These reports also recommended RI look into the cybersecurity statuses of its authorised representatives. RI failed to follow these recommendations.
ASIC claims that RI failed to implement adequate policies, resources and systems to manage cyber security risk, in breach of their responsibility as an AFS licence holder. This led to an unacceptable level of risk to the company, advisers and customers. ASIC alleges that when RI became aware of the cyber breaches, they failed to:
- Seek expert cyber security advice;
- Undertake risk assessment across their network of authorised representatives; and
- Swiftly implement a cyber security framework.
RI Advice Group is contesting the action on the basis that the allegations are general and relate to a small number of cyberattacks. RI also claims that, for the most part, no client data was compromised.
ASIC seeks orders that RI pays a financial penalty and face a compliance order to force the company to implement adequate cybersecurity risk management. An expert must verify that RI complied with this implementation.
Key Cyber Security Takeaways For Corporations
As companies increasingly move their operations online, financial service providers are prime targets for cyberattacks. ASIC v RI is a sign of ASIC’s shift in focus into actual enforcement of corporate legal responsibility. It is also a red flag to financial service providers that they must maintain adequate cyber security systems and take security breaches seriously.
Other regulators such as the ACCC and APRA are likely to follow ASIC’s lead in prosecuting breaches of cyber security standards. Companies need to demonstrate they have taken all reasonable steps to ensure that their processes and technology are appropriate. One failsafe precaution is for corporations to engage independent cyber security experts to regularly review their systems.
Cyberattacks and data breaches require an immediate and decisive response. Get in touch with the corporate law team at Armstrong Legal if you have any questions about corporate obligations under the Corporations Act. For any advice on legal responsibility in relation to cybersecurity, data privacy, financial services regulation, corporate crime and dispute resolution, please call 1300 038 223.