The Director Sentiment Index released by the Australian Institute of Company Directors for the first half of 2021 identified cyber crime as the equal number 2 issue that would “keep [Directors] awake at night” (followed by data security as number 4). Recent high-profile hacks, ransomware attacks and data breaches involving ASX listed entities, public institutions, universities and even regulators indicate that directors have good reason to hold these concerns.
There are a range of threat actors responsible for cyber breaches in Australia, including professional hackers, hacktivists and State actors. Their attacks have involved elements of social engineering, phishing and business email compromise. Organisations are also falling victim to ransomware attacks (where data is encrypted and only released upon the payment of a ransom to unlock the data using an encryption key) or double threat ransomware attacks (which demand a ransom to prevent encrypted data from being released to the broader public).
Although it is hard to quantify, a 2018 study commissioned by Microsoft estimates that the direct economic loss to Australian businesses from cyber attacks is equivalent to A$29 billion per annum, including lost revenue, decreased profitability, fines, lawsuits and remediation. This number would have increased substantially in the 3 years since.
Australia’s unique data breach regulatory system, coupled with its class action environment and continuous disclosure framework, combine to create a complicated and volatile environment for directors to navigate in the event of a cyber attack.
This article explores the key matters which directors and in-house counsel should focus on in this cyber landscape, including the areas of potential liability for a company and its directors in the event of a cyber breach. It also explores what directors and in-house counsel can do to get on the front foot in order to prepare for, and respond to, a cyber attack.
It is widely accepted that cyber security risk is an important risk which should be on directors’ radars in overseeing and managing the affairs of a company. However, there is no specific duty on directors in the Corporations Act to consider this risk.
Rather, the main source of potential liability for directors in the event of a cyber attack is founded in the general duty of care and diligence.
The recent decision in Cassimatis v ASIC makes it clear that for a director to have breached the duty of care and diligence, there has to be a foreseeable risk of harm and the director must not have acted with appropriate care to prevent this harm from occurring.
On 13 July 2021, the Australian Government released Strengthening Australia’s cyber security regulations and incentives seeking consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy. As mentioned in our recent article, the Paper sought feedback about the best way to encourage stronger cyber security risk management within large businesses and, amongst various proposals, put forward three alternative models around directors’ duties:
- Option 1: Status quo – keeping the law as it is and leaving it to boards of large companies to manage their own cyber risks as they see fit;
- Option 2: Voluntary governance standards – implementing a voluntary standard which describes the recommended responsibilities for boards of large companies and complements the current regulatory regime for cyber security. In developing voluntary standards, the Paper proposes a co-design process with industry to develop a realistic standard with industry buy-in, as well as aligning Australia’s standards with those implemented internationally; or
- Option 3: Mandatory governance standards – implementing standards similar to those considered under option 2, however, making compliance mandatory and requiring adherence within a timeframe to be specified.
The Paper appears to favour a voluntary standard over a mandatory one. Although a mandatory standard may improve Australia’s protection of its cyber assets (depending on what the standard is), the costs and inflexibility of implementing a mandatory scheme could outweigh the benefits. The Paper suggests that the co-design process for a voluntary standard will provide greater industry buy-in and concludes that a voluntary standard would produce a positive net impact on cyber security for Australian businesses. Written submissions on the Paper were due by 27 August 2021.
Directors in entities considered critical under the Security of Critical Infrastructure Act 2018 will also soon have additional compliance considerations to contend with around cyber issues. Legislation currently in front of Parliament looks to substantially expand the scope of that Act, by focusing specifically on cyber security threats to critical infrastructure. The Bill widens the categories of critical infrastructure assets and imposes enhanced cyber and reporting obligations. The obligations and regulatory powers go well beyond those contained in equivalent laws globally, not least an ability for the Australian Signals Directorate to step in and take control of critical asset IT systems that have been hit by a cyber attack.
Regulators are looking at obligations arising under licensing regimes as a hook to hang liability for cyber security breaches.
For example, ASIC has already contended that inadequate cyber security arrangements may breach various obligations incumbent on Australian Financial Services Licence holders, including under section 912A of the Corporations Act. This may extend beyond actual cyber events to the activities of an entity in identifying risks relating to cyber security and cyber resilience, and development of strategies, policies, plans and procedures to adequately manage these risks.
When a listed company discovers it has been a victim of a cyber attack, one of the immediate questions which will need to be determined is what, if anything, needs to be disclosed to ASX.
ASX listed entities are required to immediately disclose to ASX any information it becomes aware of that a reasonable person would expect to have a material effect on the prices or value of the company’s securities, unless an exception to disclosure is available. A breach of these provisions may expose the company and its directors to ASIC civil penalty proceedings and to a shareholder class action (see further below).
An assessment of whether disclosure is required under the continuous disclosure regime should involve a consideration of the following:
The company must consider what it is actually aware of at the time it is considering its disclosure obligations (e.g. immediately after becoming aware of the cyber attack) without jumping ahead and focusing on the potential (but not yet known) consequences of the attack.
ASX recognises that sometimes the initial information surrounding a particular event or circumstance is such that the entity cannot reasonably form a view as to whether it is market sensitive. The entity may need to wait for further, more complete, information before determining whether the information is market sensitive.
The reasonable person
The company must consider whether, if information about the attack that is known by the company at the relevant time was generally known, a reasonable person would expect it to have a material effect on the price or value of the company’s securities.
A reasonable person is taken to expect information to have a material effect on price or value if the information “would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose” of the company’s securities. ASX interprets this as a reference to persons who commonly buy and hold securities for a period of time. It does not include traders who seek to take advantage from short-term price fluctuations, and who trade into and out of securities without reference to their inherent value.
As a method of focusing on this question, it is often helpful to formulate what information might actually be put into a market release if one was to be made. For instance, a company’s awareness may be such that it could only announce that there has been a cyber breach of some kind, the extent of which is currently unknown, but that further investigations are taking place. It may be possible to form a view that a reasonable person would not expect such a vague and uncertain announcement to have a material effect on the price or value of the company’s securities. By contrast, if the cyber breach attack impacts the ability of the company to conduct its business, or impacts on customers’ willingness to interact with a business, then a reasonable person may well expect that information to have a material effect on the price or value of the company’s securities. This also feeds into an assessment on the materiality of the information possessed by the relevant company.
The materiality of a cyber breach can sometimes be difficult to assess. When the occurrence of a cyber breach first becomes known, the extent of the breach and its implications will usually not yet be able to be fully understood. As the investigations progress, more information may come to light and the company’s awareness and knowledge in respect of the breach ripens. In these circumstances, an assessment of materiality will involve matters of judgement balancing probability and magnitude of outcomes.
As stated by the Full Federal Court in Grant-Taylor v Babcock & Brown Limited (in Liquidation):
“The concept of "materiality" in terms of its capacity to influence a person whether to acquire or dispose of shares must refer to information which is non-trivial at least. It is insufficient that the information "may" or 'might" influence a decision: it is "would' or "would be likely“ that is required to be shown ... Materiality may also then depend upon a balancing of both the indicated probability that the event will occur and the anticipated magnitude of the event on the company's affairs ... Finally, the accounting treatment of 'materiality' may not be irrelevant if the information is of a financial nature that ought to be disclosed in the company's accounts. But accounting materiality does have a different, albeit not completely unrelated, focus.” [para 96]
In making a decision on whether to disclose certain information, ASX suggests that it is useful to ask two questions:
- Would this information influence my decision to buy or sell securities in the company at their current market price?
- Would I feel exposed to an action for insider trading if I were to buy or sell securities in the entity at their current market price, knowing this information has not been disclosed to the market?
If the answer to either question is “yes”, then it is possible that immediate disclosure may be required.
Exceptions to disclosure
If the information is material so as to require disclosure, the company may still be able to rely on an exception to disclosure. The most relevant exception in the context of a cyber breach requires that the information is confidential, is “insufficiently definite to warrant disclosure” and a reasonable person would not expect it to be disclosed.
Relevant criteria guiding this assessment include if:
- the information is so vague, embryonic or imprecise;
- the veracity of the information is so open to doubt; or
- the likelihood of the matter occurring, or its impact if it does occur, is so uncertain.
Indeed, information may be so uncertain or indefinite that it is not in fact market sensitive, creating a feedback loop to the initial assessment of materiality.
Importantly, this exception does not apply where the company is aware of information that will certainly have a material effect on the price or value of its securities, but where it simply may take time to quantify that impact. The exception will also cease to apply as more information comes to light which is material.
Companies who are the victim of a cyber attack also face potential class action exposure from shareholders and from affected individuals.
Shareholder class actions
As mentioned above, decisions about disclosure to ASX concerning the existence of a cyber attack and its implications are difficult, particularly as the issue can ripen and develop over time. If the company makes the wrong call and discloses the breach too late (or not at all), the company is susceptible to a shareholder class action alleging breaches of the continuous disclosure requirements as well as misleading and deceptive conduct.
Recent reforms to the continuous disclosure framework do, however, provide some comfort to ASX listed companies and their directors when making these difficult disclosure decisions, as the prospect of civil liability for making the wrong call is now greatly diminished. In particular, the Treasury Laws Amendment (2021 Measures No. 1) Act 2021 amended the Corporations Act with effect from 13 August 2021 to introduce a fault element for civil penalty liability in respect of continuous disclosure obligations. As outlined in our recent publication, civil liability for continuous disclosure errors will be limited to circumstances where companies, directors or officers can be shown to have actual knowledge that the disclosure is incorrect or where they act recklessly or negligently.
Federal Treasurer, Josh Frydenberg MP stated that these changes will
“mitigate the risk of companies and their officers being subject to opportunistic class actions under our continuous disclosure laws and in doing so, will support companies and their officers to release forward-looking guidance to the market”. He also said that “Introducing a fault element will more closely align Australia's continuous disclosure regime with that of the United States and the United Kingdom.”
A two-year sunset clause on the legislation, however, was required to secure the crucial support of One Nation Senator Pauline Hanson. This might prove inadequate, as class actions can take longer than two years to resolve once commenced. We note also that ASIC could still issue infringement notices, regardless of the new “state of mind” defences.
Class actions from affected individuals
In addition to shareholder class actions, companies and directors also face prospective class actions from individuals affected by a cyber attack alleging failure by the company and / or the directors to properly respond to security breaches. In particular, if the entity suffers a second cyber attack which compromises customer data or property, a class action might allege that a failure to take the first attack seriously and take appropriate action resulted in loss or damage to the plaintiff class.
There is no Australian law that specifically prohibits payment of a ransom following a ransomware attack. However, the instrument of crime provisions in Division 400 of the Criminal Code make it a serious criminal offence if a person deals with money or property where:
- there is a risk that it will be used in the commission of, or used to facilitate the commission of, an indictable offence in Australia or overseas; and
- the person dealing with the money is reckless or negligent as to whether the money will become an instrument of crime.
A company on the receiving end of a ransomware attack will need to try to determine who is extorting the payment. If the attacker is a well-known ransomware gang, then there is a risk that these provisions might be triggered as the ransom payment might be used to fund future illegal attacks.
It is likely, however, that the defence of duress could be available to the compromised company, especially in a double threat ransomware attack where there is an additional threat to the company that confidential data would be disclosed to the public. Read our article for more information on the legality of paying a ransom.
To minimise risk of harm to the company from an attack (and also liability for its consequences), directors need to take ownership of the cyber strategy. This includes:
- ensuring that there are adequate cyber risk management systems in place which focus on cyber security and which are integrated, so the left hand is talking to the right hand;
- continuing education about the developing risks and response options; and
- being aware of what decisions might need to be made in a hurry (including whether to pay a ransom).
In-house counsel are uniquely placed to help their business understand and manage cyber risks. They should help directors and key executives understand the changing legal landscape related to cyber risk in Australia and ensure that key stakeholders are regularly re-evaluating whether appropriate time and resources are being allocated to establishing data protections before breaches occur.
This extends to considering whether a Cyber Incident Response Plan should be put in place. Such a plan would usually establish a Cyber Incident Response Team with well-defined roles and responsibilities allocated to both internal staff and external providers (e.g. legal advisors, forensic IT consultants, and public relations specialists). We would also expect a Cyber Incident Response Plan to identify steps to be taken in the event of a cyber incident such as:
- containment - gathering as much information as possible in relation to the actual or suspected breach; taking immediate steps to contain the incident (e.g. by cutting off the affected network); notifying relevant internal stakeholders and implementing the pre-agreed communications plan;
- eradication - eliminating the root cause of the breach; ensuring system integrity through patching and closing the network off from foreign actors before safely restoring the system;
- remediation - for data breaches which compromise personal information, considering whether serious harm has or will occur to any individual as a result of the breach. This analysis will inform whether certain individuals and relevant bodies (such as the Office of the Australian Information Commissioner) need to be notified. Read our article for further information about notification obligation requirements.
An organisation could also consider the following work streams, which might assist it to become cyber-ready:
- conducting an audit of data and confidential information;
- conducting a security audit and rectifying key information and communication technology gaps and system vulnerabilities;
- ensuring staff have completed best practice cyber security training, including in relation to business email compromise and phishing threats (as most vulnerabilities in an IT system stem from human error);
- implementing management and governance training including in relation to obligations arising under the Corporations Act and other licensing requirements; and
- investigating cyber insurance including whether it is included in general business insurance; and whether it covers loss beyond the cost to repair damage to the system.