How managers should confront cyber risks due to increased liability
In light of “the most immediate and financially material sustainability risk that organisations face today”, there are numerous ways that Australian law firms can and must respond.
In its Global Bank Review 2022, Herbert Smith Freehills (HSF) explored the intersection between cyber threats and manager liability.
Statistics show that nearly half of chief executives globally see cyber threats as a challenge to their organisation’s growth prospects, with 62 per cent of these CEOs concerned about the impact upon their ability to sell products and services, 56 per cent on their ability to innovate, and 19 per cent upon the scope to raise capital.
The report highlighted that lawmakers and regulators in all sectors are increasingly placing responsibilities for cyber security upon individual directors and senior managers to achieve effective governance.
The federal government announced last week that it would impose tougher penalties for serious data breaches, raising the maximum penalties for serious or repeated privacy breaches from a $2.22 million penalty to $50 million, or 30 per cent of a company’s adjusted turnover in the relevant period.
This invites the question of how organisations can achieve effective governance of cyber security.
Many firms are responding by taking steps to increase cyber expertise at board level.
For organisations generally, directors and senior managers will be expected to build awareness of relevant developments and carry out periodic threat assessments.
They will be expected to ensure cyber security has adequate resources and is appropriately deployed, along with ensuring policies and procedures for controlling daily operations are implemented, controlled, and policed.
Directors and senior managers will also have to consider cyber risk in decisions about expansion or restructuring. The report noted that HSF is starting to see corporate deals fall through because of poor cyber security.
Increasingly, the measure by which directors and senior managers will be judged is how well they deal with cyber incident response.
Correct management of cyber security requires successful integration of teams within the business and of mapping different crisis response plans, the report noted.
When it comes to reporting, it is easy for missteps to occur that put individuals in breach of obligations.
There are pitfalls to be wary of, like slow or partial response that results in customer detriment or market impact, or not keeping the regulator informed.
In many jurisdictions, notification of a cyber incident must be prompt — in some instances, within an hour.
Good governance of public statements is also important, the report highlighted; for instance, misleading communications to customers or markets about recovery from ransomware attacks can cause trouble.
Pleadings in a recent US securities class action include an allegation that a company “intentionally minimised the breach and failed to disclose that attackers had gained administrative access to the servers”.
Individuals should take time to familiarise themselves with new requirements in the jurisdictions in which they operate and ensure they are fully equipped to ask the right questions, the firm suggested.