Create a free account, or log in

Company directors must act on cybersecurity now, or risk personal liabilities

Company directors who don’t implement solid cyber governance may be at risk of personal liability, says Mackay Goodwin CEO Domenic Calabretta.
Domenic Calabretta
Domenic Calabretta
cyber security attack mygov id cybercrime

The post-COVID world is starting to look and feel markedly different from what we are accustomed to, with businesses facing new challenges and constantly adapting. One of the challenges is cybercrime. 

I recently came across a staggering statistic – since the start of the pandemic, cybercrime has risen by 300%. Considering the increasing number of random “phishing” emails hitting my inbox, it doesn’t surprise me.

I recently facilitated a Mackay Goodwin webinar at MG Academy featuring James Linton, famously known as the “guy who hacked the Whitehouse”. What resonated from this webinar is that cybercrime is not a technology problem; it’s a people problem. Considering 95% of cyberattacks occur because of human error, it’s not surprising.

So what can businesses do to build ‘cyber resilience’ and reduce human error? The answer can be summarised in two words: cyber governance.

The Australian Government recently published a discussion paper on Australia’s cyber security regulation and incentives, which identified the importance of the role of directors and officers in preventing cyber incidents.

What is cyber governance?

In layman terms, governance is the action or manner of governing a corporation. Good governance regulates the corporation, which comprises its people and processes. Cyber governance extends this definition to cover the “action or manner governing the corporation over its data and information”.

Directors and officers who don’t implement solid cyber governance may be at risk of personal liability.

What are directors’ and officers’ current exposure to cyber risks?

The main legal avenue placing directors and officers at risk from cyber incidents is Section 180 of the Corporations Act 2001, which requires directors to exercise care and skill to defend the business from key risks.

For directors to avoid claims and breaches of the Act, they need to ensure their companies have appropriate systems in place to prevent and respond to cyber incidents. 

It is critical that directors no longer take cyber security lightly, as data shows crimes are increasingly being reported and the there is a high probability of a data breach resulting in long-term damage to their business (and bottom line), thereby exposing them personally to legal liability.  

The current landscape on cyber governance

Unfortunately, most businesses are still falling well behind on cyber governance, with many companies taking a reactive approach rather than planning for a cyber incident.

It is a recipe for disaster. The consequences of cybercrime are far-reaching. They can be catastrophic in terms of business continuity, cost implications (from lost business and to get operational again) and severe disruption. I believe there will be a noticeable increase in corporate failures due to cyber incidents if companies don’t act now.

Unless businesses take a proactive approach, they may see themselves at the mercy of scammers, hackers and malware.  

The first step to cyber governance

The first step to proper cyber governance is accepting the importance of a robust strategy on a board level. Organisations must examine how adequate their security is; increase their board’s awareness about the importance of information security; and then take steps to address it across their organisation.  

Once the board endorses and prioritises information security, it’s the green light the company needs to execute a robust cyber resilience strategy.

However, this is easier said than done, especially for small or mid-sized businesses that may not have the resources or knowledge, or large organisations that have intertwined complex business models heavily connected with supply chains.

Cyber insurance is not enough

Many directors may dangerously be relying on their organisation’s cyber insurance policy to protect their business from a cyber incident. Relying solely on insurance is a disastrous strategy that doesn’t mitigate the risk and irresponsibly accepts inevitable business losses, even before they occur.

In future, insurance companies will increase scrutiny on insurance cover placed for cyber risks, with companies (and their boards) being required to show a serious and legitimate commitment to cyber resilience and a fundamental understanding of the systems and processes in place to prevent future incidents or vulnerabilities. In other words, they will be looking for good cyber governance over time. 

Where to now?

Boards will continue to face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents such as data breaches. If an organisation suffers a cyber incident and can’t show it has adequate cyber governance, its directors may be exposed to legal action.

Therefore, the conversation and advocacy must start at the board level. 

Regardless of your organisation’s size, seek professional advice about the best practices and tools currently available to build cyber resilience. 

Once a board sets the framework, it needs to be filtered into the organisation’s culture. The whole team should advocate and enact the company’s cyber resilience protocols. By eliminating human error as much as possible, an organisation will be well on the way to robust cyber resilience.