Directors must shoulder the responsibility for cyber security and resilience even if they lack expertise in the area, according to HLB Mann Judd.
HLB Mann Judd’s corporate advisory partner Katelyn Adams said cyber issues were a growing problem for boards everywhere.
“Cyber security is unquestionably keeping directors awake at night,” she said. “Directors need to ensure the technology framework the company operates in is secure. As well as the operational and reputational risk of cyber breaches, there are also significant penalties for those who fail to meet their obligations.”
“This is best done by engaging cyber security experts to provide advice and ensure this advice is acted on. The cyber resilience of the company must be continuously monitored, and directors must satisfy themselves that it remains robust.”
“In addition, directors should ensure an appropriate data response plan is in place in the event of a data breach.”
Ms Adams said broad regulatory guidelines placed obligations on directors to ensure firms were properly managing the cyber security risk.
She said section 180 of the Corporations Act 2001, under which a director must act with reasonable care and diligence, could easily extend into cyber security and place further regulatory responsibilities upon directors.
“ASIC’s vision is for Australian markets and systems to be resilient to cyber incidents. ASIC works collaboratively with business, regulators and governments, but has issued clarification to all regulated market participants to address cyber risk as part of their AFSL obligations,” said Ms Adams.
“ASIC has recently released a number of resources aimed at increasing cyber resilience … it has also made it clear it expects regulated bodies to adequately assess and address cyber risk, and it will treat any breaches accordingly.”
Ms Adams said it was becoming important to upskill directors or ensure a board had cyber security knowledge.
“The use of a trusted cyber security consultant is crucial, as they will provide full feedback to the board. It is then the role of the board to ensure any recommendations have been appropriately acted on and implemented,” she said.
“The key for directors is continuous questioning of management as to the robustness of the cyber security plan and assessment of risk.”
“Unfortunately, it will never be 100 per cent unbreachable, however through continued review and assessment, directors can ensure their company remains cyber resilient.”
HLB Mann Judd risk and assurance partner Kapil Kukreja agreed and said cyber security was ultimately the responsibility of the board, not the firms’ technology departments.
“It’s a governance issue, and shouldn’t be viewed by companies as the exclusive domain of the IT department,” said Mr Kukreja.
“Given the high-profile nature of recent breaches – and the many, many more that go unreported – company directors have a responsibility to ensure the organisation is as safeguarded as possible.”
“Directors need to be aware that hackers are one, two, three steps ahead, and unless they have all the necessary measures in place, they could be held to account by regulators and their shareholders.”
You are not authorised to post comments.
Comments will undergo moderation before they get published.