In the current landscape of accelerating cyber incidents, where the responses and decisions of Boards are publicly scrutinised, Boards need to play an active role in a cyber crisis. This role involves not only overseeing and supporting management’s responses, but also foreseeing post-incident risks through a regulatory, operational and reputational lens. There is little doubt that Boards and individual directors will be a target for regulators and litigation if there is a view that the cyber readiness of a corporation is below par. There is presently no regulation that sets a clear minimum bar that must be met.  

The AICD and CSCRC’s New Cyber Framework

As a result of this environment, on 28 February 2024, the Australian Institute of Company Directors (AICD) with the Cyber Security Cooperative Research Centre (CSCRC) released the Governing Through A Cyber Crisis Framework (the Framework). This Framework has been informed by insight from senior Australian directors, cyber security advisors and government for the purpose of providing better guidance to assist Boards and directors in preparing for, and responding to a cyber crisis, and to build stronger cyber resilience.

The Framework underpins the position that Boards and directors need to have a deep understanding of their organisation’s network, physical and digital assets, the protections, policies, processes and plans that are in place in the event of a cyber crisis, and even before a cyber-attack occurs.

In the absence of a legislated standard, it is highly likely that regulators will reference and use this Framework in potential litigation as instructive of what constitutes appropriate and minimum risk management and governance practices by a Board.

High Level Overview of the Framework

The Framework is extensive and includes (but is not limited to) that Boards and directors are informed and involved in the following matters:

  • having oversight of what communications need to be made to internal and external stakeholders, as well as, any legal obligations that may arise, including to engage with and inform regulators, to make market disclosures and to ensure provisions in contracts relating to cyber incidents are complied with.
  • having a relevant response team and post-incident review team within the Board (as appropriate to your organisation) to oversee responses, mitigation actions, decisions made by management and remediation, before, during and after a cyber crisis.
  • knowing what trusted third party professionals need to be engaged, amongst other matters, to:
    • identify the root cause and any underlying vulnerabilities that led to or could lead to a cyber incident, if and when it occurs;
    • review actions taken or decisions to be made;
    • advise what systems / plans need to be in place to secure your data and assets;
    • advise what testing needs to be undertaken to ensure the integrity of those systems and plans; and
    • provide legal advice and guidance, if any, in respect of disclosures, regulator engagement, contractual obligations or potential claims that may arise as a result of the cyber crisis.
  • knowing what will be required to effect remediation, internally from a resourcing and funds stand point, and for what stakeholders (potentially employees and customers).

While these guidelines are not legally binding, it is highly likely that regulators will rely on and use this Framework in potential litigation as instructive of what constitutes appropriate and minimum risk management and governance practices by a Board.

The Framework can be downloaded here: https://www.aicd.com.au/risk-management/Framework/cyber-security/governing-through-a-cyber-crisis-cyber-incident-response-and-recovery-for-australian-directors.html

For more information, or if you have any questions, including as to how the Framework might impact your organisation and the obligations of your Board and directors, please contact Janet Whiting or Christiana McCudden.

Our team

In addition to extensive experience in advising and defending Boards and individual directors on their duties and obligations, the Melbourne Disputes + Investigations team has key litigation experience on matters of cybersecurity, an area of increasing focus. By way of example, the team recently successfully represented RI Advice and its parent company, Insignia Financial (formerly IOOF), in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the leading case brought by a regulator focusing on the adequacy of an organisation’s cybersecurity. While this case was heralded by ASIC as a test case which it used to publicly illustrate its stance on cybersecurity, RI Advice had significant success in the proceeding with ASIC withdrawing much of its case and agreeing to seek orders that no penalty should be imposed.