What is your Directors’ Liability when it comes to Cybersecurity in Australia

Advisory /

With so much noise about cybersecurity, what are your risks as a director or business owner?

In the digital age, the responsibilities of company directors in Australia have expanded significantly, particularly in the areas of cybersecurity and data protection. Directors are increasingly held accountable for the cybersecurity measures adopted by their companies. This article explores the concept of directors’ liability, the implications of notifiable data breaches, and the role of cyber insurance in mitigating risks.

 

Directors' Liability

In Australia, directors are legally obligated to act with due care and diligence, a mandate enshrined in the Corporations Act 2001 (Cth). This duty requires directors to consider the cyber risks faced by their companies as part of their corporate governance roles. The Australian Securities & Investments Commission (ASIC) reinforces this by considering cyber risk management as part of a director’s obligation to manage business risks.

If directors fail to adequately manage cybersecurity risks, they can be held personally liable under various statutes. For instance, directors could face penalties under the Privacy Act 1988 (Cth) if their company fails to protect personal information. Moreover, the Australian Prudential Regulation Authority (APRA) standards require directors of financial institutions to ensure that their organisations have robust mechanisms in place to protect against and mitigate information security incidents.

Notifiable Data Breaches

The Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth) is particularly relevant to directors’ responsibilities. This scheme requires entities covered by the Australian Privacy Principles (APPs) to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to any individuals whose personal information is involved.

Directors need to ensure their companies have policies and procedures in place to detect, investigate, and respond to data breaches. Failure to comply with the NDB scheme can result in significant fines and reputational damage. Directors, therefore, must oversee the creation and implementation of effective data breach response plans to mitigate the risks of penalties.

Cyber Insurance

To further protect against cyber risks, many Australian companies are now turning to cyber insurance. Cyber insurance policies can cover a variety of expenses associated with data breaches, including legal fees, forensic costs, and costs related to managing the crisis and recovering lost data. Importantly, these policies can also cover regulatory fines and penalties which could be levied on the company.

However, directors should be aware that simply having cyber insurance is not enough to fulfill their legal obligations. They must also show that they have taken proactive steps to manage their company’s cybersecurity risks. Insurance should be part of a broader risk management strategy that includes regular risk assessments, staff training, and the implementation of effective cyber defense measures.

Conclusion

To further protect against cyber risks, many Australian companies are now turning to cyber insurance. Cyber insurance policies can cover a variety of expenses associated with data breaches, including legal fees, forensic costs, and costs related to managing the crisis and recovering lost data. Importantly, these policies can also cover regulatory fines and penalties which could be levied on the company.

 

However, directors should be aware that simply having cyber insurance is not enough to fulfill their legal obligations. They must also show that they have taken proactive steps to manage their company’s cybersecurity risks. Insurance should be part of a broader risk management strategy that includes regular risk assessments, staff training, and the implementation of effective cyber defense measures.

*This is not legal advice and should not be considered such. Please seek out the expertise of lawyers specialised in this space or insurance brokers when considering your liabilities.

Icon
Cyber-Security
Icon
Advisory

Collaborate on a Brighter IT Future with Kavira

Step into the future with Kavira IT’s Advisory Services. Together, we’ll build a technological ecosystem that’s not just about keeping pace but setting it.

All the insider info on IT and cybersecurity

Coming Soon! We’ll be sharing everything you need to know to take control of your IT future and cybersecurity. Stay tuned.