Company directors could be in breach of their duties if their companies fail to adequately deal with cyberattacks, warns Australian Securities and Investment Commission chairman Joe Longo.
This could include the directors of high-profile companies such as Medibank, Optus and consumer finance group Latitude, which have been the subject of high-profile and damaging cyberattacks over the past year.
“For all boards, cybersecurity and cyber resilience have to be top priorities,” Longo said in a speech to the Australian Financial Review cyber summit on Monday.
“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” he said.
ASIC’s research has shown there is often a disconnect between a company board’s oversight of cyber risk, management reporting on this topic to their board, as well as the identification and assessment of risks and how controls are implemented. Longo said this disconnect must be addressed if the board wanted to meet its legal obligations.
“Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties,” he said.
The Office of the Australian Information Commissioner has opened investigations into the cyberattacks on Optus, Medibank and Latitude, which could open the door for ASIC to take legal action. This is on top of potential class action lawsuits over the cyberattacks.
A year ago, Optus revealed that hackers had stolen the personal data of more than 9 million of its customers. Weeks later, Medibank was the subject of a cyberattack in which the data of 10 million former and current customers was stolen, as well as some sensitive customer health records. Latitude also reported it was the victim of a significant cyberattack.