AWS, Telstra, L'Oreal Australia line up against cyber security director liability plan

A government plan to hold company directors accountable for failing to manage cyber security risks has garnered little industry support, with AWS, L’Oreal and Telstra particularly critical of any imposition of specific cyber security duties on directors.

The proposal, shopped in July, could see either voluntary or mandatory cyber security governance and accountability standards applied to companies and directors.

The government at the time appeared to favour a voluntary scheme, co-developed with industry, and this appeared to also be the most palatable option for industry as well, if such action is to proceed.

However, several large companies warned that specific cyber security directorial duties were unlikely to improve board-level oversight of cyber security risks and may actually lead to conflicts of interest.

“Mandatory cybersecurity governance standards or specific director’s duties will do little to improve [the] knowledge gap [of knowing that there is a risk and knowing how to address that risk,” Amazon Web Services (AWS) A/NZ said in a submission. [pdf]

“At its core, cybersecurity is a business risk and is already part of a director’s existing duties. 

“Instead, we believe company directors, senior executives, and other responsible office holders need education and support to understand how to effectively manage their cyber security risks.

“A voluntary code may assist directors in making more informed investment decisions, but we caution against overly prescriptive codes that emphasise compliance with prescriptive technical controls at the expense of a holistic risk management strategy.”

Cosmetics maker L’Oreal Australia - perhaps a surprise submitter - went further and sought protection for directors that are forced to confront active cyber attacks and ransom demands.

Its legal counsel for privacy and data protection Jessica Amos recommended “that the government considers the introduction of safe harbour laws for directors and officers of companies that are the victim of a ransomware or similar attack and decide not to pay any ransom, where the company has acted reasonably with regard to its cyber security position.”

“We believe that any measures taken by the government in relation to cyber security should consider the impact of penalising companies that are themselves victims of a cyber incident,” L’Oreal Australia said. [pdf]

“Directors and officers are often placed in conflicting positions, whereby the crush of time pressure may push an interpretation of their duty to the company to force the payment of ransoms to avoid potentially disastrous consequences. 

“We acknowledge that from a moral, ethical and long-term perspective, the right choice may be to refuse to pay the ransom to discourage further attacks.

“This can happen even to organisations that have carefully invested in and appropriately managed their cyber security postures.

“By providing directors and officers with certainty that any decisions to refuse to pay a ransom will not result in personal liability, the government can help elevate the public policy imperative of not paying ransoms. 

“This will remove the incentive for ransom attackers to continue operating by limiting the potential negative consequences for those companies that have behaved appropriately and yet were still the unfortunate victims of a criminal attack.”

Telstra, meanwhile, saw existing directorial duties as reason enough for boards to be suitably across cyber security risks.

“Directors and officers of listed companies need to understand and continually reassess existing and emerging risks that may be applicable to the company’s business,” Telstra said. [pdf]

“These existing obligations and liabilities are sufficient and provide appropriate enforcement mechanisms.

“The generic (and principles-based) approach of director’s obligations provides an appropriate, and sufficiently flexible framework to assess cyber security risks and their appropriate mitigations.

“We believe there is a role for government in producing clear guidance on how company directors should consider cyber risk and in developing some ‘best practice’ approaches to mitigating cyber risk.”

Other major tech players, including Facebook, IBM and Google, backed voluntary standards set with industry cooperation, and that were “flexible” enough to meet the evolving nature of the cyber security domain.