Is your company prepared if all ASX top 200 companies need to comply with CPS 234-like cyber security obligations?

The importance of Australian companies being “cyber-prepared” and “cyber-resilient” in order to protect themselves, their information assets and their customers against cyber risks is an area of increased focus and concern. The Australian Government has committed, as part of Australia’s Cyber Security Strategy 2020 (Strategy), to investing $1.67 billion over 10 years to create a safer, more secure online world for Australians. The Strategy states that this investment will be delivered through action by governments to strengthen cyber protections for sophisticated threats, by businesses to protect them from known vulnerabilities and by the community to practice secure online behaviours (see our summary article: Australia’s Cyber Security Strategy 2020: What you need to know).

The Strategy sets out (at paragraph 36) that multiple reform options are being considered to achieve this, including “the role of privacy, consumer and data protection laws; duties for company directors and other business entities; and obligations on manufacturers and internet connected devices”. In line with the Strategy, the Government has already proposed a number of legislative amendments to increase the robustness of Australia’s privacy and cyber security framework, with regard to the Privacy Act 1988, the Security of Critical Infrastructure Act 2018 and the Voluntary IoT Code of Practice. Whether the Government intends further regulatory reform is yet to be determined, however a recent opinion piece in the Australian Financial Review (AFR) has reported that:

• data security and risk experts have formed the view that reform will constitute significant amendments to the Corporations Act 2001 (Cth) (Corporations Act) and directors’ duties with the introduction of obligations regarding cybersecurity; and
• the form of such amendments may obligate all Australian ASX 200 companies to implement information security measures similar to the requirements imposed on entities regulated by the Australian Prudential Regulation Authority (APRA) under its CPS 234 Prudential Standard. 

Existing obligations in relation to cybersecurity

If the AFR is correct in this assumption, the introduction of cyber security obligations similar to those under CPS 234 would have significant implications for senior management, governing bodies and boards of a broader range of companies and the introduction of minimum requirements in relation to information security measures under the Corporations Act would significantly increase the obligations on directors, particularly in establishing, maintaining and reviewing information security protections.

Currently, under the Corporations Act, directors have a range of legal responsibilities and duties relating to the running of their companies. The majority of these duties are broad, relating to the use of care and diligence, good faith, and ensuring directors don’t improperly use information or their position. Additional duties relating to disclosure of directors’ interests and information not available to the market are similarly general.

Academics from the University of Sydney Business School have suggested that directors’ obligations under sections 299, 299A and 300 of the Corporations Act already require directors to consider and disclose their company’s cyber risks in their directors’ report, however, these obligations are not specifically cyber security related and cyber risks could therefore be easily overlooked. As such, for most large companies, the disclosures required under the above sections are likely insufficient to satisfy the obligations under CPS 234. 

What is APRA CPS 234?

CPS 234 is a Prudential Standard and applies to APRA-regulated entities, including banks, credit unions and superannuation funds. Under CPS 234, APRA-regulated entities must take cyber risk management measures to strengthen their information security capabilities in relation to the evolving threats to, and protection of, their information assets.  

The key requirements under CPS 234 include that the relevant entity:

• implement and maintain information security protections in response to changes in vulnerabilities and threats;
• ensure third party compliance with CPS 234, such as by sub-contractors and other entities who manage information on behalf of the entity;
• maintain an IT security policy framework commensurate with the exposures to vulnerabilities and threats;
• implement and systematically test relevant information security controls;
• ensure appropriate incident management, including that robust mechanisms and plans are in place to detect and respond to information security incidents;
• conduct internal audit of information security controls, including a review of design and effectiveness;
• implement processes to ensure notification to APRA of any incidents that materially affect customers, or any control weaknesses the organisation cannot remediate in a timely manner.

Continuous review and improvement of an entity’s cyber risk management procedures and protocols is at the core of the obligations under CPS 234 in the context of an everchanging cyber landscape.  CPS 234 makes it clear that the ultimate responsibility for ensuring compliance lies with the Board. For further information on CPS 234 see our articles on CPS 234: 8 things you didn't know about APRA's new cybersecurity standard and Don't forget - if you have information assets managed by third parties the deadline for CPS 234 compliance is 1 July 2020.

Preparing for potential CPS 234-like changes

The AFR has suggested that if amendments to directors’ duties are proposed, they are likely to be implemented in the latter half of 2021.

Developing and implementing policies and significant information security controls takes considerable time and investment. APRA has disclosed that many of its regulated entities are still failing to adequately comply with CPS 234 despite it being over 18 months since the standard commenced, highlighting the significant time and resources required for adequate implementation. This is particularly so in relation to obligations to ensure third party compliance with CPS 234 where an entity’s information assets are managed by a third party, as this requires the negotiation of CPS 234 obligations into third party contracts with suppliers who may not otherwise be required to comply with CPS 234.

Even if the amendments suggested by the AFR do not eventuate, all companies, regardless of their legal requirements or any potential legislative changes, should be considering measures to protect themselves and their customers against cyber risks. This is for a number of reasons. First, if a company has insufficient information security measures, there is a significant risk of reputational damage that may occur from major data breaches due to degradation of customer trust, and secondly, even if such reforms are not implemented under the Corporations Act as suggested by the AFR, companies may still need to be prepare for further legislative requirements that may likely be imposed upon them in the near future, as alluded to in the Strategy.

In our current climate of heightened cyber risks and increased consequences for information security incidents, all companies should build their cyber security processes and procedures to ensure these processes are commensurate with the threats the companies face. As a matter of best practice companies should be considering the cyber risks that they may face, potential mitigation measures and consider changes to internal policies and practices relating to information security pre-emptively including investing in robust data protection and information security controls where necessary.

As a preparatory measure, it could be worthwhile for large companies to review CPS 234 and identify areas where adequate compliance is already achieved and highlight potential areas to be improved and update their compliance frameworks accordingly. It’s now well understood that cyber attacks and the exploitation of information security vulnerabilities of commercial and government entities are becoming increasingly commonplace, meaning the security risks for large companies, such as ASX 200 companies, are only increasing. While it’s not yet known how the Government will action the Strategy and reform “duties for company directors and other business entities”, given the time and investment necessary to transition large corporate entities to implement and maintain robust information security controls, companies should start now to build a comprehensive cyber security roadmap. Future reforms to the duties of company directors and business entities will only reinforce this.

Authors: India Monaghan, Isobel O’Brien, Jen Bradley and Tim Gole