Could company Directors be in breach of their legal duties, if they fail to deal properly with cybersecurity risks? This has long been a favoured topic of debate in cybersecurity circles, but in recent years, we have seen it break through into mainstream conversation. A current example from earlier this week concerns a statement by the Chairman of the Australian Security and Investment Commission, Mr Longo, who reportedly said:
“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the Directors to potential enforcement action by ASIC based on the Directors not acting with reasonable care and diligence …”
Of course, the nature and extent of a company Director’s exposure will turn on the nuances of the national laws in place and the factual matrix of the case under examination, but I am doubtful that we are entering an era of immediate, significant exposure for them. For example, in some jurisdictions the Director’s duty of care is owed only to the shareholder, meaning that it will need shareholder legal activism for the duty to be tested.
Factual matrix critical
To stand a meaningful chance of establishing personal liability for a Director, the factual matrix would need to be extreme. Firstly, the business through the actions of Director turned a blind eye to security risk. Secondly, a cyber-attack will need to take advantage of the security gap left by the first decision.
If we think about the initial situation – the blind eye – the greatest likelihood of this problem arising will be in small, under resourced businesses where the cyber posture is dictated not by risks, but simply by the resource levels. These situations are very unlikely to bother the legal system in the manner that Mr Longo envisages.
In the type of business where Director personal liability will be a meaningful risk – i.e., where the company is one that the legal system will be actively engaged with – the picture is much more complex and nuanced than the observations about potential liability reveal. This can include the presence of systems of internal control for auditing purposes and many operational roles and responsibilities for the delivery of security.
These systems will provide general protection to Directors in most cases, because they create a logical and managerial firewall between the Director’s duty and the performance of operational security tasks, which in turns creates a legal firewall.
Routes to exposure
Considering things in this way, there are very few permutations of fact that can lead to a meaningful challenge to the Director, viz the question of discharge of their duty. Examples are:
- The Director had good reason to believe that the systems and controls were not adequate.
- The Director had good reason to believe that they had not hired competent people to deal with the systems and controls.
- Without good reason they rejected advice on systems and controls.
- They suppressed people from providing advice that they did not want to hear.
In all of my years dealing with cybersecurity incidents, I have not witnessed a case that displayed any of these features. In fact, the common denominator at the heart of the cases I have dealt with is not about discharge of Director duty as such, but the presence of latent defects in the risk management process. Due to them being latent and the topic so complex, there are strong arguments to say that Directors can be generally excused for not understanding them. For example, if we consider the impact of behavioural economics and the human factor within the design of risk management systems, which many academics perceive is a critical variable in cybersecurity success and failure, is this a topic that falls within mainstream board-level conversation? I think not.
Director failure or latent defects in risk management?
Many of the latent gaps in risk management are very difficult to resolve. Consider the situation of a zero day attack that takes advantage of a previously unknown vulnerability. Armed with a brief understanding of how these vulnerabilities are discovered and balanced with an understanding of the overall extent of operational duties for security, most people would not consider this a topic suitable for establishing Director liability. Similarly, consider supply chain attacks: there are massive barriers standing in the way of understanding and managing risks within them. Alternatively, what about “mega-systems” attacks, such as NotPetya, where an attack has unpredictable and unforeseeable consequences that extend much further that the attacker’s target, due to the extent of connectivity in the modern world? We all operate within mega systems, with most of the risks within them being invisible to us and beyond our control (which is why some governments talk about taking a Whole Economy approach to developing public policy in this area).
So, do the above arguments make a case for saying that Director activities are an irrelevant consideration within the overall assessment of the quality of operational security? Of course not. There are three ways of looking at this question. Firstly, the consensus of expert opinion for operational security requires top management engagement, as stated in leading standards for best practice such as the ISO/IEC 27000 family of standards. Secondly, the Board’s behaviours will directly affect the liability of the company itself, where most of the legal exposure risk focuses. Thirdly, there is increasing momentum within the examination of Director behaviours, which is where this article began. Fourthly, if the conditions summarised above for establishing Director liability are made out, there is appetite in some jurisdictions to “make it stick”, which can act as a pathfinder for further developments in this area and an amplifier for the overall argument.
The United States is currently the leader in this area, illustrated by various cases where regulators and shareholders have decided it is worth taking up the cudgels of this argument. In a recent high-profile case, a senior Officer on a tech company was convicted of criminal offences related to the handling and aftermath of a cybersecurity incident, a case that has divided opinion in the cybersecurity community and raised fears of personal liability.
Building a case, or acting proactively to protect the business
If a person was minded to “make it stick”, how would they build their case? The most obvious line of inquiries would concern audit reports, Board agendas and “told-you-so” materials (e.g., escalations from concerned third parties, a cohort that can span the whistle-blower through to the CISO themselves). The purpose of these inquiries would be to establish a prima facie case of risk awareness. The next step would be to examine the risk management process itself, to see how the risk was analysed, assessed and treated. These areas also provide obvious starting points for Directors who want to take a proactive approach to cybersecurity risk management.
Follow me on Twitter or LinkedIn. Check out some of my other work here.