A few shot's across the bow would know doubt force the hand of many companies -
Wotton + Kearney lawyer warns directors over cyber breach lawsuits
Businesses are being warned to expect shareholders to sue for cyber security breaches that negatively impact company share prices.
Andrew Moore, a partner at law firm Wotton + Kearney and expert in company director insurance, said the introduction of mandatory breach notification laws in early 2017 has exposed companies to a heightened risk of litigation following a data breach or a cyber attack.
The courts have also piled on, imposing a "high standard of care" on company directors to ensure they "appropriately" manage risks and act in the best interests of shareholders, according to Mr Moore.
"There should be little doubt that such risks include cyber risk," he said. "While these types of breaches in the context of cyber security have not yet been heard and tested by the courts, it is only a matter of time before this occurs in light of the new mandatory breach notification."
Despite similar laws having been in place for some time in other jurisdictions, including in the US since 2003, Australian organisations previously had the right to keep quiet about customer data breaches.
"The suggestion that protection against a cyber attack lies with a company's IT department and not also with the board of directors is misconceived," said Mr Moore.
"Following a data breach or cyber attack, a company is exposed to the risk of litigation brought by shareholders against directors or officers for failing to implement adequate security measures ... resulting in losses sustained by shareholders through decreased share prices."
The Office of the Australian Information Commission received 114 voluntarily reported cyber breaches in the 2017 financial year.
Wealth giant AMP in November said it was investigating a third-party provider after more than 25,000 of its staff expense claims were exposed online.Along with AMP staff, the personal details of almost 50,000 Australian workers from the Department of Finance, the Australian Electoral Commission and the National Disability Insurance Agency were also released by an unnamed third-party contractor.
But AMP's share price did not appear to be affected, sitting at $5.02 the day the market was alerted to the breach, and climbing to $5.05 the next day. The corporate watchdog published a report in 2015 urging company directors to determine when they have appropriate board-level oversight of cyber risks.
"The ramifications for directors and officers for failing to meet obligations can result in disqualification and, therefore, ensuring cyber risks are properly managed by company directors and not just referred to the IT department is imperative for the future viability and continuity of a business," Mr Moore said.
Joel Pridmore, head of corporate insurance at reinsurer Munich Re, said directors and officers' insurance policies have a wide definition of "wrongful act". "The policy will usually respond unless there is a specific exception," he said. "The potential costs of data security breaches can be significant and companies must not assume their standard, existing insurance policies cover them for cyber security and data breaches."
This comes amid increasing pressure on the directors and officers' insurance market.
As revealed by The Australian Financial Review this month, insurers providing liability cover to directors and officers have raised premiums by as much as 300 per cent following a sharp rise in the number of share price-related class actions launched against Australian companies. A report last year by Wotton + Kearney and insurer XL Catlin found nine out of 10 filed securities class actions were settled in Australia, with insurers facing an average bill of $40 million for each securities class action settled. Since a landmark class action against GIO was settled for $97 million in 2003, more than 30 actions have been finalised, with the largest being a case against Centro, settled for $200 million in 2012.