Anyone who has engaged with a ‘professional’ board — be that of a listed corporation, not-for-profit, small business or startup — knows that directors qualified through the Australian Institute of Company Directors’ (AICD) training programs have a well-developed concept of risk management. So it is stunning to see some of the most qualified boards in this country failing on this very simple task.
Before we get to the law, let’s review a few recent events. The most significant of these events is last year’s cybersecurity breaches, which saw large amounts of customer data extracted from Optus and Medibank and posted to the so-called ‘dark web’ in the latter case.
For comparison, we will also consider the unfortunate circumstances confronting passengers on Jetstar flight JQ30 from Bangkok to Melbourne on Sunday, 26 February. The story is simple, a flight from Bangkok to Melbourne diverts to land in Alice Springs due to a medical emergency on board. Once it landed, an electrical fault required a replacement part from Sydney. Because Alice Springs is only a domestic airport, passengers were not allowed to disembark until after six hours when the electrical system failed. Only at this point were barely adequate arrangements made.
The Albanese government has partially responded to corporate data hacking by releasing an Australian Cyber Security Strategy discussion paper. The politics of this will always get messy. Labor is accusing the previous government of inaction; the opposition accuses Labor of being too slow to act and warning of government overreach. But these discussions miss the critical point, what is the responsibility of business?
Andy Penn, the former Telstra chief executive, is the chair of the expert advisory board assisting the minister in developing the strategy. Speaking on ABC radio, he said, “What further obligations do businesses have in terms of minimum cybersecurity standards and also notifying government when there is an incident and what further powers might government require to step in?”.
Later he added, “You could argue that things like the corporations law, consumer law and privacy law already implicitly cover cybersecurity incidents, but we need to do more to make that more explicit. We’re seeing business really call out saying we need better guidance on what are the minimum standards that we need to meet.”
A good place to start is the AICD publication Directors’ Legal Responsibilities: A handbook for Australian boards. The relevant consideration (outlined in section 6.2) is the requirement for directors to exercise their powers and discharge their duties with reasonable care and diligence. The book states, “The duty requires a director to do what is reasonable in the circumstances to avoid harm to the company that is foreseeable.” The next element is what the book calls “the irreducible core,” which means “to be involved in the management of the company and to take all reasonable steps to be in a position to guide and monitor.”
This then brings us to risk. The book describes this as “the duty of care requires a director to do what is reasonable in the circumstances to avoid the company suffering a harm that is foreseeable. The relevant risks are the ones that are foreseeable at the time the directors act (or fail to act), not with the benefit of hindsight.”
Returning to the cases of Optus and Medicare, was it foreseeable to the directors that there could be a cybersecurity risk? The event they faced, extraction of data, is really at the lower end of the risks they could face — it is far more damaging if data is deleted or overwritten, or worse, that code is overwritten. Was the extraction of data harmful to the company? It certainly constituted reputational harm; in one case, the company had to choose between increased reputational harm and financial harm (from extortion).
The only question remaining is the link between the two. How much of this is the board’s direct responsibility, and how much is it management’s? Unfortunately, the case law tends to focus on financial reporting and the obligation of the board to do more than just note the accounts and auditor’s reports. The same obligation exists with operational risk. The skill is for directors to be “in a position” to “guide and monitor” without stepping over the line into “micro-management”. It is, however, presumably because directors have these skills that they get the rewards that come to them.
Optus and Medibank seem to have been underprepared not only because such an unsophisticated hack was successful but also because neither seemed to have any strategy to deal with it.
The events that befell JQ30 are really no different. While there were two events — the medical emergency and the electrical fault — the landing in Alice Springs could easily have been caused by an inflight fault that resulted in the same circumstances. The relevant board, in this case ultimately Qantas, was equally responsible for ensuring a risk management regime for this kind of event.
Now, one of the possibilities with risk management is to decide to “bear the risk”. Once again, however, events seem to reveal a lack of preparedness to manage the situation that would be expected if that was the decision.
So while I do agree with many in corporate Australia that there needs to be greater cooperation between government and businesses in managing our cyber border, including the notification regime and the ability of government to intervene, Andy Penn is wrong to think Australian business needs further guidance on “minimum security standards.”
The obligations of directors are already clear; making them explicit or establishing external frameworks for compliance monitoring will only add additional costs without improving standards.
The more fundamental concern is whether, when boards of directors sit down and undertake their review of risks, do they focus on protecting the company or themselves.
Do you know more? Contact James Riley via Email.
Terribly narrow definition of “harm” in this piece that completely excludes the true harm of most breaches – that caused to the individuals whose data was exposed. In the case of medibank, which involved highly sensitive health info, this was severe.
This kind of prevailing myopia about what’s at stake (it’s not just “reputational harm or financial harm” for the business) is at the core of much of the problem.
Thanks Max, could you please come back to us with one (1) example of “sensitive health info” being used to harm one (1) person? We need a new “evidence based”‘ strategy and are trying to understand “what’s at stake”. Thanks mate, one (1) will be enough.