An Outline of Australia’s Board Director Cyber Liability Policies

20 Mar / 2023

Cyber Security

Board Members and Directors can avoid harsh penalties by understanding what’s required of them.


When the Australian Cyber Security Strategy was released in 2020, it sent murmurs through the industry, however, penalties were rarely enforced. More recently, as governing bodies crack down on non-compliant businesses, Board Members and Directors need to remain vigilant over the personal and professional implications of these legal obligations.

If you sit on the Board of an organisation with an annual turnover of $3 million or more, you are now personally responsible for maintaining its compliance with the updated cybersecurity legislation such as the Notifiable Data Breaches scheme, Security of Critical Infrastructure Act and the Privacy Act.

The best-case scenario for anyone that continues to ignore this change is a hefty fine for the business. Hefty here means anything up to $50 million. Here is a comprehensive summary of the new legislation and what it means for Board Directors.

What Does Personal Liability Mean?

If being responsible for a corporate fine of up to $50 million is the best-case scenario, what’s worse? Directors and Board Members being held personally responsible means individual ramifications, including large financial and legal penalties.

This could mean fines ranging from $444,000 to $2.5 million. It could also mean removal from the Board entirely and suspension from sitting on others in the future. But, still, financial implications are not the worst-case scenario.

Perhaps the most concerning update is that Board Directors can now be sued by shareholders, with extreme cases of negligence leading to a potential prison sentence. This applies where misconduct around security compliance leads to a drop in share price.

Notable examples of recent crackdowns by the Australian Securities and Investments Commission (ASIC) include GetSwift Board Members Bane Hunter and Joel Macdonald. Hunter and Macdonald were fined AUD 2 million and 1 million, respectively. They were both also excluded from managing corporations for 15 and 12 years.

Why Have These Changes Been Made?

Between high-profile cases such as Optus and Medibank, it’s clear that Australia is becoming increasingly aware of the dangers of substandard security efforts. The public – along with government and regulatory bodies – are nervous about the state of their data.

Boosting Australia’s cyber-resilience, and specifically data protection, is the main driver of this policy change, according to CPA Australia. Despite the introduction of substantial penalties, the government appears to be favouring a preventative approach over one driven by scare tactics.

It’s also likely that this policy change is influenced by the tendency of large corporations to under-report security incidents. That’s good news for Board Members that prioritise security but it intends to penalise dishonest or unreliable Directors.

Learn your responsibilities and you won’t have to worry.

What are Your Legislative Corporate Responsibilities?

Board Members of large businesses (generally over 200 employees) are legally required to take reasonable care and diligence to ensure that cybersecurity legislation is followed. Small and medium enterprises have separate guidelines, as do not-for-profits.

At least one Board Member should understand the technical aspect of cybersecurity enough to liaise with security leaders in the business. It is your responsibility to ensure the organisation has a robust security strategy in place, as well as adequate systems and resources in order to protect the network. 

What that looks like varies by industry and even within niches, but it is up to you to seek guidance - within or externally - in order to maintain security compliance.Generally, regulatory responsibilities include consistently reporting relevant incidents, holding adequate insurance coverage and maintaining an effective security strategy across the entire IT infrastructure.

How to Maintain Security Compliance

While ignorance will not excuse Board Members from liability, the main concern is deceptive behaviour and misleading conduct in such instances as deliberate non-reporting of cybersecurity incidents. That said, it is your responsibility to know enough about your organisation’s security posture that the team can act to effectively prevent an attack.

To ensure your organisation is compliant, you need some understanding of the cybersecurity legislative requirements and what systems, strategies and solutions can help you meet those requirements. You also need an in-depth understanding of the Australian Cyber Security Strategy, and how to report compliantly to governing bodies.

This can be overwhelming for Board Members and Non-Executive Directors without a deep knowledge of the industry. Engaging a managed security service partner like Cythera can help make regulatory compliance straightforward.

Cythera’s Managed Security Service

Powered by Netskope, Cythera takes a human-led approach to security management, embodied by the senior technical analyst and expert cybersecurity strategists that sit as part of your organisation. Cythera works closely with you and your organisation to ensure full regulatory compliance and optimal protection from data breaches.

For more information on how Cythera guides Board Members and Executive Directors and provides cybersecurity protection for hundreds of Australian organisations, please contact us here:

Resources

You may be interested in

Malware That Lives Beyond OS Rebuild

Normally if your machine is infected with malware, you can simply reinstall Windows, and the problem is solved, right? Not with this type of mal…

Read More arrow_forward

The Perfect 10 - Remote Code Execution in Apache Log4j Requiring Emergency Patching

CVE: CVE-2021-44228 CVSS Score: 10 (Critical)What Is Vulnerable?: Apache Log4j Version 2.15-rc1 or prior. (All version prior to 2.15-rc1 are vu…

Read More arrow_forward

Microsoft Office Remote Code Execution Vulnerability aka Follina

CVE: CVE-2022-30190What Is Vulnerable? Windows Office 2013 and later, including the latest patches for Office 2021What’s Happening?Microsoft O…

Read More arrow_forward