Director Risk – The Rise of Cyber Class Actions
Imagine this – your company is exposed to a ransomware attack, necessitating the company to pay out millions of dollars to cyber criminals so that the company’s client financial information is not exposed. While you are still reeling from the financial and reputational fall-out from the attack, a group of shareholders bring a lawsuit alleging that the company directors or officers failed to protect the company by issuing false and misleading statements regarding the company’s compliance policies. It’s a double hit – a ransom payout with litigation reverberations. Whilst not yet a reality in this country, the US and Canada are both experiencing the rise of this kind of cyber litigation. It is board governance that manages these emerging risks.
Cyber-crime is big business and costs the Australian economy, according to the Australian Institute of Criminology, an estimated $3.5B per year. There have been several high-profile ransomware attacks in Australia (BlueScope Steel, Toll Group, Nine Entertainment, Lion Diary and Drinks) and even without the potential threat of shareholder class actions, the pressure is on directors to demonstrate and implement roadmaps to manage cyber risk. The Federal Government has shown an interest in the liability of directors as part of Australia’s Cybersecurity Strategy 2020 which aims to create stronger incentives for business to invest in cybersecurity including setting new standards to make directors personally responsible for cyber-attacks. Discussion has centred so far around either a mandatory approach with its high compliance burden or a voluntary framework which the Federal Government has said “could be considered by a court when determining whether failures relating to the oversight of a cyber risk constituted a breach of directors’ duties”. There is already a technical exposure of directors in the aftermath of a cyber incident for potentially failing to guard against key business risk under section 180 of the Corporations Act but the Government is looking to up the ante.
The demonstration of sound cyber expertise at board level and the implementation of protocols across the business are the backbone of procuring and renewing cyber insurance. There is now the added incentive that implementing cyber-security principles, such as engaging a third-party advisor to report to the board, could form part of a defence to any litigation that arises from cyber incidents. The World Economic Forum has set out six globally applicable principles to get the boardroom ball rolling on cyber-resilience: encourage systemic resilience and collaboration, incorporate cybersecurity expertise into board governance, ensure organisational design supports cybersecurity, align cyber-risk management with business needs, understand the economic drivers and impact of cyber risk; and that cybersecurity is a strategic business enabler.*
Ensuring that organisational design supports cybersecurity, according to the Forum, might include the Board reviewing the company structure to make sure the cybersecurity function is adequately represented across the business and leadership. It will mean that cyber-risk functions get adequate staffing and funding to inspire a cybersecurity culture. Now is the time to revisit your cyber resilience and talk to your Lockton broker about cyber insurance.
*Principles for Board Governance of Cyber Risk Insight Report (March 2021)