Is Your D&O Team Ready to Deal with Cyber Crime?


A cyber attack happened once every eight minutes in Australia in 2020-21, compared with once every 10 minutes in the previous financial year.

No sector in the economy was immune, according to reports made to the Australian Cyber Security Centre, but because these are only reported breaches, the real rate is much higher.

The centre listed key trends as:

  • Malicious actors exploiting the pandemic environment
  • Critical infrastructure and essential services targeted
  • Ransomware growing in profile and impact
  • Hackers rapidly exploiting security vulnerabilities as soon as they were publicly disclosed
  • Compromised business email and supply chains.

Increasingly, cybercriminals are directly targeting top executives through direct emails with threats and ransom demands, or accessing their inboxes, files, and computers to extort or blackmail them.

The total cost of a data breach is getting heftier. It was $2.82M in Australia last year, up from $2.15M the year before, says IBM

How up-to-date are your company’s directors and officers about digital security to give you confidence that policies and processes will minimise the risks associated with a data breach?

There’s a “lack of guidance” for D&Os about cybersecurity, according to legal luminary David Gonski, reported in The Australian Financial Review in late August. He’s calling for directors to have a new defence when accused of violating their legal responsibilities to prevent cybersecurity breaches.

The growing pressure of cyber on D&O

  • Despite this,  company directors and officers are facing greater regulatory and legal oversight to manage and disclose cyber security issues. They must ensure they have appropriate cyber security measures in place to protect their company’s digital assets. 

    As well, the Federal Court recently set a precedent for financial services firms to have adequate risk management systems to thwart and manage cyber risks. That also extends to other businesses, who are authorised representatives of the licensee. The court ordered the defendant, RI Advice Group Pty Ltd, to pay $750,000 of the Australian Securities & Investments Commission’s (ASIC) legal costs. Read more about the judgment and ASIC’s report on it here.

    Therefore, failing to step up to D&O responsibilities opens up risks should a data breach occur including:

    • Legal and regulatory 
    • Shareholder derivative action, or
    • A shareholder suit against D&Os for breaching their fiduciary duty. 

What’s the government doing about it?

The Federal Government released its Ransomware Action Plan last October, which introduces a criminal offence for cyber extortion – here’s a link to federal laws that cyber criminals face. However, under the plan, the government will mandate that companies with a $10M-plus turnover report ransomware incidents, and has indicated it will boost this regulation, according to law firm Corrs Chambers Westgarth. Paying a ransom may be a criminal offence, and even though there are defences, there’s a lot of uncertainty. 

As well, the government has set up a new Australian Federal Police-led multi-agency task force ‘Operation Orcus’ operation to target ransomware attacks linked to organised crime groups operating here and overseas. The Federal Department of Home Affairs has also set up the Cyber and Infrastructure Security Centre to actively deal with regulatory moves and partnerships to protect our nation’s critical infrastructure. You can find a comprehensive register of those asset classes here, plus obligations for responsible entity holders or direct interest holders.

The government’s Cyber Security Industry Advisory Committee has issued Locked Out: Tackling Australia’s ransomware threat, which advises businesses to: 

  • Practice good cyber security hygiene, including following the Australian Cyber Security Centre’s essential eight
  • Have multi-factor authentication for email security
  • Keep software up to date
  • Continuously train employees about the risks and how to manage them
  • Regularly back up your data
  • Archive data more than 15 months old to reduce the amount of data that could be impacted.

That presumes a high level of cyber expertise and risk management at board and officers’ fingertips.

What are your D&O responsibilities?

For D&Os, managing cyber risks is a core governance issue that comes under a duty of care and diligence, Section 180(1) of the Corporations Act, according to professional services consultancy PwC. However, there haven’t been any significant Australian cases or regulatory prosecutions of D&Os concerning ransomware attacks or preparedness … yet.  

Boards should be actively engaged in managing cyber risks, and can look to ASIC for cyber guidance. They cover 11 good practices, including:

  1. Board engagement
  2. Responsive governance
  3. Cyber risk management and threat assessment, including reporting notifiable data breaches
  4. Third-party risk management
  5. Collaboration and information sharing
  6. Asset management
  7. Cyber awareness and training
  8. Protective measures and controls
  9. Detection systems and processes
  10. Response planning (critical infrastructure and data protection system), and
  11. Recovery planning.

It’s worth pointing out that businesses should have appropriate contracts and processes in place to make sure their suppliers, service providers and sub-contractors also meet cyber security requirements.


Don’t overlook cyber insurance

You might assume your existing directors’ and officers’ liability insurance should cover you for cyber risks, but please check with us for peace of mind.

Cyber Insurance provides cover for financial loss and expenses that businesses may suffer as a result of a Cyber Event, including cyber attacks from malware or other invasive software, cyber extortion and social engineering. Claims covered under a cyber policy are very broad, but are typically three core areas: Liability (privacy lawsuits and regulatory defence), Internal Financial Loss (extortion, notification expenses, data recovery, business interruption, crime/theft), and Emergency Incident Response (costs incurred from responding to a cyber event).

The good news is you can minimise your cybersecurity risk profile with the above strategies and tailored insurance. Our advice is that premiums are rising. The more you tighten your internal processes to manage your cyber risks, the stronger your application will be for a new policy or a renewal to obtain you more favourable terms.

The advice on this website is general in nature and has been prepared without taking into account your objectives, financial situation or needs. You must decide whether or not it is appropriate, in light of your own circumstances, to act on this advice. You should ensure you obtain and consider the Product Disclosure Statement for the policy before you make any decision to acquire it.

Content created and provided by ONEAFFINITI, LLC