Cyber-attacks on Australian businesses have grown in both quantity and sophistication in recent years, but many companies and their directors are still precariously vulnerable to costly breaches.
Cybercrime costs the Australian economy about $3.5 billion a year, according to The Australian Institute of Criminology, and Australians spend $597 million annually dealing with the consequences of cyber-attacks.1 The World Economic Forum’s Global Risk Report 2021 ranks cybersecurity fourth in the top short-term risks facing global entities, coming in behind extreme weather events, infectious diseases and livelihood crises.2
Among the most pernicious of cyber breaches are ransomware attacks, in which criminals encrypt company data and software systems and threaten to release sensitive information until a large sum is paid.
The growing spate of cyber-attacks, and their increasingly accessible malware, have hit some of our nation’s biggest corporate assets, including BlueScope Steel, Lion Dairy and Drinks, and Nine Entertainment. Several hospitals, not-for-profits, and aged care homes have also been targeted.
These attacks cripple an organisation financially and reputationally, and may also affect supply chains and logistics. In June, international meat processing behemoth, JBS Foods, was forced to stop operating its 47 sites across Australia due to a ransomware attack, and the company eventually paid the criminals $14.2 million to prevent the exfiltration of data.3
Worryingly, successful ransomware attacks may have a devastating impact on company directors, causing the business’s stocks to plummet in value and aggrieved shareholders to seek compensation.
In the US and Canada in particular, shareholders have already lodged class actions for damages after ransomware attacks, joining consumers and financial institutions in their bid for significant restitution — often in the millions of dollars.
In a high-profile example, Yahoo shareholders in the US brought a class action against the company, alleging it had made false and misleading statements regarding the business's operational and compliance policies. The case centred on a drop in the company's share price following a series of data breaches, and the case eventually settled for an eye-watering $80 million.
Also in the US, Target shareholders filed lawsuits against Target's board, alleging that the directors had failed to protect the company from a breach after hackers stole credit and debit card information of 40 million customers. The shareholders’ class action was ultimately dismissed, however aggrieved financial institutions and consumers received substantial settlements.4
Mounting pressure on directors
While shareholders are yet to launch a successful class action of this kind in Australia, when you consider the growing incidents of international shareholder litigation, the surge in ransomware attacks and our meagre cyber-security defences, it is likely we will witness similar litigation actions here.
Class actions will have a perverse ‘double whammy’ effect on companies, as they are forced, in the first instance, to pay exorbitant sums to hackers to prevent the release of sensitive information and the unlocking of encrypted files. The second blow comes when the ransomware attack is made public, and the share price slumps, prompting shareholders to seek damages.
The Federal Government has already signalled its interest in increasing the liability of company directors, with a discussion paper on cyber-security reforms floating new standards to make directors personally responsible for cyber-attacks.5
It is yet to be determined whether the new cyber-security proposal for directors would be mandatory or an opt-in scheme. Under the opt-in approach, the new standards could be written into the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, which would compel companies that declined to sign up for the standards to explain their reasoning to shareholders.
Furthermore, the Critical Infrastructure Bill, which allows the Government to designate large companies as ‘critical infrastructure’ in emergencies and intervene in the case of cyber-attacks, is further indication of the Commonwealth’s determination to stem the tide of financial losses from cyber-attacks and shine a spotlight on the governance of cyber security.
While in the past there were no legislative requirements to notify individuals of cyber breaches, the mandatory data breach notification laws, which came into effect in 2018, compel companies to report cyber-attacks to affected individuals, as well as the privacy commissioner.
Clearly, cyber breaches can no longer escape shareholder and public attention, and once the first shareholder class action succeeds in Australia then the metaphorical pandora’s box will be unlocked, as litigators pursue action based on the new legal precedent.
Protection from class actions
Many companies already manage their risk through taking out cyber insurance. However, due to the spiralling costs of ransomware payouts, policies are becoming increasingly expensive. Companies will also find it harder to gain adequate insurance coverage in the future, as brokers demand tangible proof that businesses are instituting robust cyber-security measures, such as deploying the right cyber expertise, regular staff training, and the updating of procedures and protocols.
In a separate 2021 report, entitled Principles for Board Governance of Cyber Risk, The World Economic Forum recommended a number of cyber-security principles for boards to follow, including embedding cybersecurity expertise into governance, with a greater representation of cyber security experts on company boards.[i] The chief information security officer (CISO) is the executive responsible for an organisation's information and data security, and directors may wish to push for the company’s CISO to be brought into the boardroom, wherever feasible.
Crucially, the report also recommends that companies seek out independent third-party advisers and assessors — who regularly report to the board — to ensure effective oversight of cyber risks. This is especially significant if the matter proceeds to litigation, as a thorough and objective report that is admissible as evidence could help limit liability for the company. On contrast, an internal report, compiled by a panicked IT staffer papering over cracks, will only help the plaintiff’s case.
Senior leadership and boards must take ownership of the cyber strategy within an organisation and push for a cyber-security planning process that seeks to build a multi-pronged cyber-security system over time.
Similarly, the Australian financial watchdog, Australian Securities and Investments Commission (‘ASIC’) identify board engagement, governance and risk management as critical elements to managing cyber risk.[ii] Senior leadership and boards must take ownership of the cyber strategy within an organisation and push for a cyber-security planning process that seeks to build a multi-pronged cyber-security system over time. It may not be possible to create an impermeable, water-tight cyber defence system at a large company within six months, but directors must not let the weight of the task deter them. It is in their interests, as well as the company’s, to advocate for a cyber-security road map with clearly marked milestones and to push for management to factor in cyber risk when making significant business changes or decisions.
Companies then need to assure stakeholders that they not only have systems in place to mitigate cyber risk, but they have also tested those systems to ensure they effectively ameliorate risk at various points of access. Merely pointing to an IT back-up system without assurance of its ability to mitigate the risk as a sufficient cyber defence strategy will no longer cut it.
The economic impact of COVID-19 is partly to blame for the sometimes lackadaisical and complacent approach to cyber-security, as companies spent much of 2020 focusing on their cash flow and their bottom line rather than on long-term payoffs, such as investing in a solid cyber-security system.
That is understandable in the immediate aftermath of a crisis, but directors must now take the lead in elevating the issue of cyber-security to utmost importance among managers, pushing for independent advice from recognised cyber-security experts, bringing cyber expertise into the boardroom, and insisting on tangible roadmaps for progress.
Otherwise, they could find themselves embroiled in lengthy and costly class action proceedings that could personally cost them millions in damages.
Shareholder class actions are already happening overseas. It’s only a matter of time before they happen here as well.