Skip to content
Journal

Cybersecurity and AI – O Brave New World

  • · Cybersecurity is one of the most important issues facing Australian directors and senior managers
  •  
  • · Directors and senior managers have personal duties as “officers” in relation to cybersecurity
  •  
  • · You do not need to be a cybersecurity expert but you do need to exercise care and diligence and be curious and inform yourself
  •  

(Sponsored content)
by John Keeves, Partner, Johnson Winter Slattery

Cybersecurity and AI – O Brave New World

Cybersecurity is one of the most important issues facing Australian boards and senior management. This is unlikely to change for the foreseeable future, if ever. Indeed, with the expansion of AI across the Australian economy, cybersecurity will only become more important: AI substantially expands the cybersecurity “threat surface” – in other words, AI will create more vulnerabilities. Moreover, greater reliance on AI for business processes means that a serious loss of AI availability due to a cyberattack may have a devastating effect on the operational business execution capabilities that will rely on AI.

So what does the average non-technical director or senior manager do? We can’t all become cybersecurity experts, can we?

Officers’ duty of care and diligence – what does it mean?

Directors and senior managers are, generally speaking “officers” of a company under the definition in the Corporations Act 2001 (Cth). This means that they have a statutory duty to exercise care and diligence in the performance of their powers their duties. ASIC, the corporate regulator, can seek substantial civil penalties and disqualification orders if these duties are breached.

The standard expected of an officer is not perfection. Rather what would a “reasonable person” do (or not do) in the officer’s position in the circumstances of that company? The minimum requirement is an objective test, but if the officer has, or purports to have, special skills, they will be held to a correspondingly higher standard. For example, more will be expected of a chartered accountant in relation to matters of finance and accounting.

The standard of a “reasonable person” is affected by community expectations, and as a general rule the community (and hence judicial) expectations of officers has increased over time. This apparently inexorable trend can be observed by looking at the decided cases over time from the Marquis of Bute’s Case (1892), through Re City Equitable Fire (1925) and AWA (1995) to Centro (2011) and Cassimatis (2020). I expect that future decisions, particularly decisions emanating from ASIC’s current civil penalty enforcement proceedings against directors and other officers, may show additional heightening of expectations. It certainly would not be surprising.

On the topic of ASIC enforcement, it is worth noting that ASIC may take proceedings against officers if they have exposed the company to harm through not doing enough to prevent the company from breaching the law. In this regard, the significant penalties under the Privacy Act 1988 (Cth) for a serious or repeated privacy breach – $50 million or based on turnover or the benefit derived – need to be kept in mind. In addition to reputational harm, it is foreseeable that a serious data breach could harm the company through such a penalty being inflicted.

It is clear enough that officers need to have a curious and questioning approach when it comes to important risks facing the company (we call them “mission critical risks”). Officers must be proactive and monitor those risks, rather than being reactive and simply picking up the pieces. So it stands to reason that officers must be proactive when it comes to cyber risk.

Some businesses and officers will have heightened obligations. For example, the broad range of businesses subject to the Security of Critical Infrastructure Act 2018 (Cth) have additional obligations and their boards have to sign off on reports. APRA regulated entities (banks, insurers and super funds) likewise are subject to additional prudential requirements.

But we can’t all be cyber experts, can we?

Certainly, a typical non-expert director can rely on management and outside experts, although they should not do so blindly. They need to satisfy themselves of the competence and expertise of any given expert, and critically examine (“make an independent assessment”) of any advice or information presented by management or an outside expert.

Not everyone needs to be an expert, or even try to be. But does an officer need to gain a working understanding of the IT systems that the business relies on, the cyber threats posed to those systems and a sufficient understanding of cybersecurity to make an informed assessment of whether the company is doing and spending enough?

In my view, technology has advanced so much in the past forty years (say, since the introduction of the PC) that it has become almost all pervasive. It is almost not an exaggeration to say that just about every business is a technology business. At least, we are almost all totally reliant on technology and telecommunications to run our businesses, no matter what we do.

This information technology revolution has been, when you step back and think about it, as much a seismic shift as the industrial revolution. And it is only accelerating in 2024 due to AI.

My point is that technology is now inherent in business. Perhaps with some exceptions, if you do not understand technology you do not understand business. But certainly if you do not understand your critical technology you do not fully understand your business. And undoubtedly, if you do not understand your critical technology risks you do not understand your critical business risks.

And, in my view, you cannot properly supervise what you do not understand. So whether there is strictly a duty implied by section 180 of the Corporations Act to understand technology in order to discharge their officer duties or not, a director or senior manager will be well advised to ensure that they fully understand the risks presented by the critical technology relied on by their business.

I should add, at this point, that a cyber breach of your business is virtually inevitable. It is quite possible that you have already been breached and you don’t know it. The average time before a breach is discovered is months and sometimes it takes years.

So the point is detection, response and resilience. Or put more simply – preparation. Make sure your business can withstand the inevitable cyber attack and recover from it.

A prudent person in the management of their own affairs

Directors (and officers) are not expected to act like trustees. That much has been made clear by the case law. Directors (and officers) are expected to take business risks, and the Courts should not, and generally do not, second guess them when it comes to business decisions. This can be drawn from the case law and the “business judgment rule” in sub-section 180(2) of the Corporations Act.

But there is one aspect of law of trustees and fiduciaries that may be apposite to officers at this point. A fiduciary is required to act as a person of reasonable prudence, intelligence and discretion would act in the management of their own affairs. There is no reason in my mind why this description should not be applicable to a director or officer, of course having regard to the fact that they are running a business and expected to take calculated business risks.

Now we are all subject to personal and domestic cyber risks. We all know, for example, that multi-factor authentication is a good idea for our personal online accounts. We all know that we should be backing up our data. We all know (or should know) that clicking on links in unexpected emails is a very bad idea.

So my point is that a basic working knowledge of cyber security should be expected of any prudent business person. So prudent business people who are directors or officers should be able to ask some basic questions about their company’s cybersecurity without needing to be an expert.

For example, do we use enterprise wide multi-factor authentication? If not, why not? Frankly, in 2024 there is probably no good reason not to.

Is our sensitive data always encrypted? If not, why not? Many serious data breaches could have been averted, or substantially mitigated, if the data had been encrypted.

Do we have backups that are unconnected to our network? If your network is compromised, connected backups may be compromised too.

Do we regularly test our ability to restore from backups? If the only time you find out that restoring does not work is when you really need it, that could be catastrophic.

This is all, really, applied common sense and requires, in 2024, no great level of cybersecurity expertise.

My point is that a reasonable and prudent director or officer does not need to be a cybersecurity expert to ask intelligent questions informed only by their own experiences of cybersecurity.

The bottom line

That said, please don’t misunderstand my point. You do not need to become an expert. There is no need for directors to learn how to code.

Rather, you should definitely engage experts: just as you would engage expert lawyers, accountants, architects, engineers and software developers, engage suitable cybersecurity experts.

But also, be curious, stay up to date as best you can with developments and the technology that affects and underpins your business – and try to inform yourself about the cybersecurity risks applicable to your business.

Request briefings from management. Ask for presentations from experts. Check your preparedness and recovery plans. Run simulations. Understand the data that you hold, and ensure that it is cleansed and encrypted. Commission audits.

Above all, remain vigilant. Avoid complacency. Assume your business is a target. Because it almost certainly will be, if it has not already.

Learn more

 

Author contact details:

John Keeves
(02) 8274 9520
john.keeves@jws.com.au

John Keeves is a Partner with Johnson Winter Slattery, Co-Head of the JWS Board Advisory and Governance Practice, a member of the Executive and former Chair of the Business Law Section of the Law Council of Australia and a member and former Chair of the Business Law Section’s Corporations Committee. John is a senior corporate lawyer with more than 30 years’ experience advising on corporate governance, major projects, mergers and acquisitions, venture capital and corporate and securities law, with a focus on large and complex transactions, public markets mergers and acquisitions (including contested takeovers) and equity capital markets

July CEO Memo: Strengthening Cyber Governance

Next article