Are Directors Liable for Cybersecurity Neglect?
It’s the moment that company boards and their directors have been waiting for. The question of whether directors are liable for cybersecurity neglect looks like it’s been answered. During the Financial Review’s Cyber Summit in September, Australian Securities and Investment Commission chairman Joe Longo cautioned that company directors could potentially violate their obligations if their firms do not effectively address cyberattacks.
This has been hinted at for years, but recent breaches have brought this to the attention of the Australian Government.
“For all boards, cybersecurity and cyber resilience have to be top priorities”
Longo said in a speech to the Australian Financial Review cyber summit. He goes on to say,
“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,”
ASIC’s research has revealed a frequent misalignment between a company’s
- oversight of cyber risk and cyber resilience,
- how management communicates this information to the company’s directors, and
- the identification and evaluation of risks and the implementation of control measures.
Longo emphasised that addressing this misalignment is essential for organisations to fulfil their legal responsibilities. He goes on to say
“Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties.”
It is expected that ASIC will want all businesses to have implemented appropriate measures to safeguard the personal information they possess from being misused, tampered with, lost, accessed without authorisation, changed, or disclosed. Part of this is to ensure that businesses evaluate the organisations they share customer information.
“If you’re not evaluating your third-party cybersecurity risk, you’re deceiving yourself. And recent events show that you will suffer for it.”
So, as a Director, what can you do to protect your organisation, your customers and yourself from hackers and liability?
Priority 1 – Start Aligning to Essential Eight
An initiative of the Australian Cyber Security Centre, Essential Eight covers 8 critical areas to focus your cybersecurity efforts.
These strategies encompass three primary domains: prevention, restriction, and recovery – categorised based on their level of advancement.
The eight strategies are:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Priority 2 – Ensure you have Cybersecurity Insurance
The insurance itself is important; however, the process of getting the insurance is also critical. Your insurance provider will evaluate your defences by using publicly available data. Using this data and answers from the insurance questionnaire, you can gauge your cybersecurity resilience and make further recommendations to strengthen it.
Priority 3 – Organise regular Penetration Tests
Ensure you are regularly testing your defences to find vulnerabilities. Penetration tests are not part of Essential Eight but can highlight vulnerabilities with a simulated targeted attack.
Priority 4 – Audit your data and prune
No cybersecurity defences are 100% secure, so you must plan for the worst. You must ask yourself what data would be exposed if a breach occurred today. Audit your current data and ask questions about it. Questions like
- Do I need to keep any data on past clients? If so, what is the minimum required
- Do I need to keep all this information on current clients? What can be pruned?
- Do I understand where all client data is stored?
Performing this audit regularly and pruning unnecessary data reduces your data footprint and liability footprint simultaneously.
Priority 5 – Enable 24/7 Threat Hunting and Protection
Nothing beats protecting your environment than having a team of cybersecurity threat hunters watching for suspicious activity and acting on it immediately. Intuitive IT uses Huntress to add an extra layer of protection to your Microsoft accounts and your physical computer to ensure that no matter when the bad guys strike, there is someone ready to act immediately.
Directors – Act Today
As a Director of your organisation, you can expect the Cybersecurity requirements from the Australian Government and ASIC to tighten in the coming months and years. Ensure your organisation is ahead of these requirements and avoid making a bad situation worse.
Please get in touch with Intuitive IT if we can help with any Cybersecurity or IT needs.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.