Under the Corporations Act, directors are required to have particular regard around their duty of care, due diligence and continuous disclosure obligations when running a company. This applies to directors involved in running a private, as well as a public organisation. Such obligations extend to all aspects of a business, including a business’s IT infrastructure and security.
Directors are no longer able to push the responsibility of cyber compliance on to the IT department or to a third party IT service provider. It is a director’s duty to be involved in managing and understanding the real risk associated with cyber security, along with ensuring a strong compliance regime exists that addresses cyber security within the business. Failure to discharge such duties can expose directors to claims from shareholders, along with investigations from regulators such as the Australian Investment & Security Commission (ASIC) and the Office of the Australian Information Commissioner (OAIC).
Australian Government agencies, not for profit organisations and all businesses with revenue greater than $3m have responsibilities under the Privacy Act 1988. Even those small businesses with less than $3m of revenue but who collect health information, sell and/or purchase personal information for a benefit have obligations under the Act. It is becoming more common for small businesses to ‘Opt In’ to the Privacy Act and therefore send a clear message to their clients that they are committed to strong privacy practices. In recent times the Australian Privacy Principals have been updated through the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). Australian Privacy Principal (APP) 11 requires entities governed by the Act to take reasonable steps to protect personal information it holds from:
(a) Misuse, interference and loss; and
(b) From unauthorised access, modification and disclosure.
Significant penalties may apply for breaches of the Privacy Act, including fines of up to $340,000 for individuals and $1.7m for organisations. With this in mind, directors of companies need to start understanding the following about their business.
With obligations on directors increasing at a rapid rate, cyber risk management should now be at the forefront of all directors’ minds.
July 15, 2024
June 17, 2024
April 19, 2023
January 23, 2023
January 18, 2023
December 13, 2022
October 21, 2022
October 12, 2022
August 25, 2022
July 29, 2022
July 6, 2022
February 1, 2020
March 30, 2020
April 17, 2020
May 8, 2020
June 22, 2020
I have been operating as an AR with McCormick Harris since late 2005. Prior to that I was a Responsible Officer for a brokerage with all the laborious tasks of maintaining a licence. The relationship with the McCormick Harris team has developed significantly over that time, and all of us in the Sydney office feel part of the organisation without losing our independence of operating a well respected brokerage. The only thing missing are the compliance requirements that need ongoing attention.
- Joe Gemmola Director of Zedcora Pty Ltd since 2005