The Director Sentiment Index released by the Australian Institute of Company Directors for the first half of 2021 identified cyber crime as the equal number 2 issue that would “keep [Directors] awake at night” (followed by data security as number 4). Recent high-profile hacks, ransomware attacks and data breaches involving ASX listed entities, public institutions, universities and even regulators indicate that directors have good reason to hold these concerns.

There are a range of threat actors responsible for cyber breaches in Australia, including professional hackers, hacktivists and State actors. Their attacks have involved elements of social engineering, phishing and business email compromise. Organisations are also falling victim to ransomware attacks (where data is encrypted and only released upon the payment of a ransom to unlock the data using an encryption key) or double threat ransomware attacks (which demand a ransom to prevent encrypted data from being released to the broader public).

Although it is hard to quantify, a 2018 study commissioned by Microsoft estimates that the direct economic loss to Australian businesses from cyber attacks is equivalent to A$29 billion per annum, including lost revenue, decreased profitability, fines, lawsuits and remediation. This number would have increased substantially in the 3 years since.

Australia’s unique data breach regulatory system, coupled with its class action environment and continuous disclosure framework, combine to create a complicated and volatile environment for directors to navigate in the event of a cyber attack.

This article explores the key matters which directors and in-house counsel should focus on in this cyber landscape, including the areas of potential liability for a company and its directors in the event of a cyber breach. It also explores what directors and in-house counsel can do to get on the front foot in order to prepare for, and respond to, a cyber attack.

The concept of "materiality" in terms of its capacity to influence a person whether to acquire or dispose of shares must refer to information which is non-trivial at least. It is insufficient that the information "may" or 'might" influence a decision: it is "would' or "would be likely that is required to be shown ... Materiality may also then depend upon a balancing of both the indicated probability that the event will occur and the anticipated magnitude of the event on the company's affairs ... Finally, the accounting treatment of 'materiality' may not be irrelevant if the information is of a financial nature that ought to be disclosed in the company's accounts. But accounting materiality does have a different, albeit not completely unrelated, focus. [para 96]

mitigate the risk of companies and their officers being subject to opportunistic class actions under our continuous disclosure laws and in doing so, will support companies and their officers to release forward-looking guidance to the market. He also said that Introducing a fault element will more closely align Australia's continuous disclosure regime with that of the United States and the United Kingdom.

KNOWLEDGE ARTICLES YOU MAY BE INTERESTED IN:

Government seeking feedback on options for regulatory reforms to strengthen cybersecurity practices

Ransomware - to pay or not to pay?

Can you hack it? Are you prepared for a cyber incident?