As the frequency and severity of cyber attacks on Australian organisations continues to grow, boards and directors face increasing personal liability for decisions they make regarding a potential security incident.

Under the Corporations Act directors are required to discharge their duties with care and diligence, and to act in good faith and in the best interests of the company. Directors who fail to properly consider cyber risks and the cybersecurity of their company, risk breaching their duty of care, warns David Gonski from the Australian Institute of Company Directors.

A perceived or actual failure to implement adequate measures for mitigating cyber security risks could result in directors being held responsible for neglecting to prevent a foreseeable breach, and inaction regarding implementing cyber security best practices could constitute not acting in good faith.

The question for Boards is how, without being experts in IT, can they evolve their understanding and governance of cyber risk management and enforcement?

5 suggestions for boards to improve cyber threat response readiness

At a minimum boards need to understand how their company will respond if they are hacked or suffer a network breach. This includes who needs to do what, the kinds of experts that need to be engaged and the steps required to get the business back on its feet quickly.

Gonski offers 5 suggestions for boards to augment their cyber capability and knowledge, including

  1. appointing a board risk committee of cyber risk experts on a permanent or consultancy basis
  2. assigning time and budget to educating board members to stay abreast of cyber threat developments
  3. monitoring developments in the cyber threat space and sharing 'war stories' and learnings
  4. dedicated discussions around preparedness and pooling of knowledge and capabilities
  5. simulations of a cyber attack involving the whole of the board to develop response abilities.

The value of cyber attack simulations for company directors and boards

Involving board members in regular cyber attack simulations can test the accessibility and efficacy of planning and procedures, whether they are easy to follow and fit for purpose in the event of an actual attack.

A simulation can provide clarity about some of the issues involved: is the business capable of restoring data via back-ups? If a ransom has been demanded, should the business negotiate with the hacker?

Are there legal ramifications to paying the attacker? In some cases threat actors may be affiliated with groups subject to sanctions against legal payment: links to terrorists or human trafficking, for example.

It can also reveal the extent and limitations of board members' understanding of the situation as well as how they react as individuals.

The role of cyber insurance in supporting cyber threat readiness

In the event of a cyber attack, a robust cyber insurance policy provides access to experts not only in negotiation but also forensic investigation, remediation measures, as well as cover for the legal and reputational costs involved.

How Gallagher can help

In addition to cyber insurance protection Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312