Company directors could be held accountable for cyber security failures

Company directors could be held accountable for failing to manage cyber security risks as part of a suite of reforms being considered by government to strengthen the cyber security of the digital economy.

A discussion paper, released by the Department of Home Affairs this week, calls for comment on proposed cyber security governance standards that would be co-designed with industry.

The standards, which could be mandatory or voluntary, would seek to improve cyber security risk management practices in listed companies and other large businesses outside the scope of existing legislation.

They would build on information security requirements for financial institutions under prudential standard CPS 234, as well as forthcoming reform that expand the number of critical infrastructure sectors.

“There is room for cyber security governance standards to be articulated in respect of a wider range of business than… critical infrastructure owners and financial institutions,” the paper states. 

Under the voluntary approach, the government would work with industry to design standards that “describe the responsibilities… and processes for managing cyber security risk”.

The standards would support “the role of company boards overseing cyber security risk, but would not require specific technical controls to be implemented”, the discussion paper outlines.

The government appears to favour such an approach, as it will “strengthen and complement existing director’s duties under the Corporations Act” without creating unnecessary regulatory burden.

“A voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constitutes a breach of directors’ duties,” the paper states.

But the government remains concerned that industry may not “substantially adopt” voluntary cyber security standards, and that such a regime could create a “tick-a-box compliance culture”.

As such, the government also outlined a mandatory option that would require large businesses not already covered by existing regulatory schemes to “achieve compliance within a specific timeframe”.

While this would result in a greater cyber security uplift, the approach also presents problems of its own, namely the high cost of compliance for businesses and the lack of suitable regulator.

“On balance, a mandatory standard may be too costly and onerous given the current state of cyber security governance and in the midst of an economic recovery,” the government said.

The government is also weighing up using existing regulatory frameworks or releasing guidance to increase responsible disclosure of vulnerabilities.

The discussion paper notes that “adoption of responsible disclosure policies among Australian businesses remains low”, with only five percent of ASX 200 companies currently with such a policy.

Minimum standards for personal information

Another reform outlined in the discussion paper is whether “an enforceable code” needs to be enshrined in existing legislation like the Privacy Act to increase the adoption of cyber security standards.

“Establishing a code under the Privacy Act could drive the adoption of cyber security standards across the economy by creating regulatory incentives for uptake,” the paper states.

“Our intent would be for a code to specify minimum, rather than best practice approaches, and could be a combination of specific and principles-based requirements.”

The government said the code could “target specific kinds of technology, sectors or… data”, though does not see mandating the Essential Eight controls as “realistic”.

Home Affairs minister Karen Andrews said the planned reforms were just one way the “government is taking action to mitigate the real and present danger that cyber crime presents”.

It comes as the Australian Institute of Criminology releases new research that puts the total economic impact of cyber crime in Australia at $3.5 billion in 2019.

“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” Andrews said releasing the discussion paper.

“I want to make sure Australian businesses – big and small – are secure, and consumers are protected.

“Through this period of consultation, I'm keen to hear from businesses, the critical infrastructure sector, IT experts, and the wider public, about the solutions and mitigations they propose.”