Directors' Duties

Overview

  • Directors of corporations are subject to a series of duties owed to the company, shareholders and others that arise primarily under the Corporations Act 2001 (Cth) as well as at common law and in equity. For directors of publicly listed corporations, additional duties may arise under continuous disclosure obligations.
  • Other laws and regulations may apply to directors and the exercise of their duties, depending on the subject matter (eg notifiable data breaches under the Privacy Act 1988 (Cth)) or industry sector (eg information security obligations of financial institutions under the Banking Act 1959 (Cth)).

Background

Australian Prudential Regulation Authority

  • Under APRA Prudential Standard CPS 234: Information Security (APRA CPS 234) the board of directors of an APRA-regulated entity (including all banks and financial institutions, general insurers and private health insurers) is responsible for:
    • ensuring the entity maintains information security (and an information security capability) in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity; and
    • clearly defining the information security-related roles and responsibilities of the board of directors, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.
    • There are additional security obligations for entities in the financial services sector in existing APRA prudential standards and practice guides relevant to cyber security. These include a notification requirement to APRA for material information security incidents.

Australian Securities Exchange (ASX)

ASX Listing Rules

  • Under ASX Listing Rule 3.1, a listed entity must immediately report to the ASX any market-sensitive information that can have a material consequence on the price or value of the securities of that entity (as soon as it is aware or ought to reasonably have been aware).
  • Section 677 of the Corporations Act 2001 (Cth) requires that the information would, or be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of them. A listed entity must form a view of whether the direct and indirect effects of a data breach satisfies this test prior to notifying the ASX, considering all surrounding circumstances.
  • Both ASIC and the ASX can institute punitive and enforcement measures when an entity breaches its continuous disclosure obligations. See Memorandum of Understanding between Australian Securities and investments Commission and ASX Limited ABN 98 008 624 691 (28 October 2011).
  • A court will generally examine the reaction of the market when considering whether an entity breached its continuous disclosure obligations: see Grant-Taylor v Babcock & Brown Limited (In Liquidation) [2015] FCA 149.
  • See ASX Listing Rules:
    • Chapter 3: Continuous Disclosure
    • Guidance Note 8: Continuous Disclosure: Listing Rules 3.1-3.1B

ASX Corporate Governance Principles and Recommendations (February 2019)

  • Recommendation 7.2 requires a board of directors/committee of the board of a listed company to review its risk management framework annually and satisfy itself that it ‘deals adequately’ with risks including cyber security, privacy, and data breaches. The ASX Corporate Governance Principles and Recommendations are not mandatory for listed companies, but if not followed the board must disclose why not.

Australian Securities and Investments Commission

Corporations Act 2001 (Cth)

Banking Act 1959 (Cth)

  • Under Part IIAA of the Banking Act 1959 (Cth), authorised deposit-taking institutions (ADIs) must nominate 1 or more 'accountable persons' - either a director or other appropriate senior executive - who is responsible for the conduct of the financial institution's regulatory compliance and reporting to the Australian Prudential Regulation Authority.

Privacy Act 1988 (Cth)

  • Under Part IIIC of the Privacy Act 1988 (Cth), organisations with an annual turnover exceeding $3 million (plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the Notifiable Data Breach Scheme . These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
  • A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
  • An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner (OAIC) within 30 days, and distribute these details to the people at risk of serious harm.
  • Part VIB of the Privacy Act 1988 (Cth) contains penalties for non-compliance and gives the Commissioner investigative powers.These actions are available against the relevant business entity and against those ‘knowingly concerned,’ such as directors or management.

Case Law

  • Recent case law demonstrates the growing importance (and accountability) of cyber security for company directors, although to date the issue has rarely been litigated in Australia. Rofe J’s judgment in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is relevant in showing potential judicial attitudes, although limited in direct effect as the orders were made by consent. However, the increase in litigation in the United States has raised concern amongst scholars that significant Australian litigation against directors for failure to implement adequate cyber security systems is likely only a matter of time.

Criminal Law

  • The Criminal Code Act 1995 (Cth) sch 1 criminalises, amongst other things, computer intrusions, unauthorised modification of data, denial of service attacks, creation, and distribution of malicious software, dishonestly obtaining or dealing in personal or financial information, among many other offences ranging in severity, application, and punishment. For more details, see Computer-Based Crime.
  • The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019, which came into effect on 6 April 2019, added new offences to the Criminal Code. Offences that apply to hosting service providers include the failure to notify the Australian Federal Police within a reasonable time about material relating to abhorrent violent conduct in Australia; and failure to remove access to the content. These offences create an independent incident reporting regime that applies to the cloud computing sector.

Regulatory & Policy Framework

Duty to Report Cyber Security Incidents

  • The Australian Cyber Security Centre (ACSC) defines a cyber incident as ‘an unwanted or unexpected cyber security event, or a series of such events, which have a significant probability of compromising business operations.’
  • A number of different bodies set out requirements and guidelines for reporting cyber security events, adding to the complexity of this regulatory space. Notable inconsistencies include the type of information required to be reported and the timing of reporting. Contractual obligations may add to the complexity in circumstances where customers can articulate their own timelines and requirements.

National

  • Australian Cyber Security Centre (ACSC)
    The ACSC is the lead Australian government agency for cyber security, and operates as part of the Australian Signals Directorate. The ACSC provides a Cyber Incident Response Plan Guidance and Template for all Australian organisations, which has guidelines for them to develop their own incident response plans. No specific timeframes for reporting are mentioned in these documents. Reports to the ACSC can be made through their ReportCyber portal.
  • Australian Government Information Security Manual (ISM)
    The ISM, produced by the ACSC, outlines a cyber security framework that an organisation can apply to protect their systems and data from cyber threats. This uses a risk management framework that includes protection of the cyber supply chain. Cyber security incidents, including unplanned outages, must be reported to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered. Incidents should then be reported to the ACSC.
  • Australian Prudential Regulatory Authority (APRA) CPS 234
    Under section 35, incidents must be notified to APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident or 10 days after becoming aware of a security weakness. The Board and senior management of the organisation must also be notified.
  • Cyber Incident Management Arrangements for Australian Governments (CIMA)
    CIMA comes into play for cyber security related crises, or crises with a cyber security element. While CIMA provides Australian governments with guidance on how they will collaborate in response to, and reduce the harm associated with, national cyber incidents, it does not override existing incident response management arrangements of different levels of governments unless circumstances demand it. CIMA encourages all Australian governments, business and the community to report cyber incidents to the ACSC.
  • Privacy Act 1988 (Cth)
    Obligations under the Privacy Act and the Notifiable Data Breaches scheme are as discussed above.
  • Protective Security Policy Framework (PSPF)
    This framework, managed by the Attorney-General’s Department (AGD), consists of a series of policies providing security guidelines and requirements for contracted and service providers across Australian government. Annual security status reports must be made to the AGD and the appropriate ministerial portfolio. Cyber security incidents must be reported to the Australian Signals Directorate, but additional notifications may also be required to ASIO, the Australian Federal Police, the OAIC and other organisations depending on the nature of the incident. Contracted providers may be required to report security issues even when not immediately relevant to the contract. See for example Policy 5 ‘Reporting on security’ and Policy 6 ‘Security governance for contracted goods and service providers’.
  • Security of Critical Infrastructure Act 2018 (Cth) (SOCI)
    Mandatory reporting of cyber security incidents commenced 8 April 2022. Appropriate action must also be taken to address the incident. Incidents must be reported to the ACSC (who will pass them on to the CISC) within 12 hours for critical incidents and 72 hours for other relevant incidents as defined by the Act. If the initial reports were given orally, then a further 84 hours is given to submit a written report for a critical incident, or a further 48 hours for a relevant incident. Penalties apply for non-compliance.
  • On 6 July 2022, the Minister for Communication made security information obligations requiring carriers and service providers to undertake asset registration and cyber incident reporting. The new conditions import the provisions from the SOCI Act.

State Government

  • NSW Cyber Security Policy
    The policy outlines the mandatory requirements for all NSW government departments and public service agencies to ensure cyber security risks to their information and systems are managed. It applies to agency heads and executives, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams. It expressly contemplates the imposition of contractual terms on ‘third party ICT providers’ (which would include cloud service providers) mandating compliance with this policy, and in such cases, it requires (amongst other things) terms that require the provider to have an incident notification process and to follow ‘reasonable direction’ from the government agency arising out of incident investigations.
  • QLD Information Security Policy
    This policy provides standards to coordinate reporting and monitoring processes for information security incidents within the QLD government. Incident response activities and threat intelligence must be communicated to the Queensland Government Information Security Virtual Response Team as per the QGEA Information security incident reporting standard. Departments must report immediately for security incidents affecting a system with a medium or high business level impact, and immediately for security incidents affecting multiple systems / departments. All other security incidents must be reported quarterly.

Relevant Organisations

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine