Cyber Security

Are Directors Personally Liable for a Cyber Attack

Are Board Directors personally liable for a cyber attack? Is it a foreseeable risk? Experts at GovernWith and Mills Oakley Lawyers share their insights

Webinar Replay: Are Directors Personally Liable for Cyber Attack?


Cyber Governance Resources

Everything you need to start the journey of mitigating cyber risks to your organisation

The GovernWith webinar in its cyber series for 2023

The experts explored the issue of whether directors can be held personally liable for a cyber attack. The session was graced by notable legal professionals from Mills Oakley, Jonathan Green and Vera Visevic. The feedback was overwhelmingly positive, prompting an encore webinar.

Importance of Cybersecurity in Corporate Governance

The webinar emphasised the significance of cybersecurity in contemporary governance. Cyber resilience, they argued, should be integral to an organization's culture. In fact, the duty of care and diligence that is applied to directors extends to cybersecurity as well.

This concept was reinforced by a landmark case in Australia brought forward by the Australian Securities and Investments Commission (ASIC). For the first time, the federal court dealt with cybersecurity, indicating ASIC’s growing concern about this issue.

This case was not just about a breach of an AFSL license. It was also a sign of ASIC's shifting stance, moving beyond educating about cybersecurity to enforcing their expectations. In a clear message to directors and businesses alike, the court ruled that the company had failed to implement adequate cybersecurity and cyber resilience risk management practices.

This resulted in a hefty financial repercussion, as the company was directed to pay AUD 750,000 towards ASIC's legal fees. The case was deemed a precedent, and the court suggested that future cases may see directors being personally liable for not taking cybersecurity seriously.

Case Studies - Anglicare and Oxfam

Among the case studies presented was the 2020 cyber attack on Anglicare, a non-profit organization. Sensitive information was stolen from their data system, leading to a serious breach. However, Anglicare managed to contain the situation through their data plan, working with the Australian Cyber Security Centre and the New South Wales Police Force.

Oxfam, another notable organization, was also mentioned. These examples demonstrate that no organization, regardless of its sector, is immune to cyber threats.

Mitigation and Proactive Measures

To mitigate such risks, organizations can create regional subcommittees for cyber governance. This approach allows smaller organizations to draw from the expertise of larger ones. Additionally, businesses across different sectors can cooperate, as cybersecurity risks are ubiquitous.

The discussion concluded with a demonstration of Boardroom Plus by GovernWith, a platform that offers a comprehensive solution for board governance reviews, director skills assessments, and succession planning tools, with a strong emphasis on cybersecurity risk management.

This webinar should be a wake-up call to directors, emphasizing that in the wake of escalating cyber threats, they may well face personal liability if adequate cybersecurity measures are not taken seriously in their organizations.

Similar posts

Governance Insights

Each week, join us in a governance 'fireside chat' where you ask the questions and we give you the answers.  The latest data and trends from the GovernWith platform are included in our Insights Sessions.