Cyber risk: Directors’ duties and implications for M&A

Blog

6 min. read

|

On 18 September 2023, ASIC Chair Joe Longo addressed the Australian Financial Review Cyber Summit on the topic of cyber preparedness. 

His message was stark and should prompt immediate action from directors on company boards, both generally in evaluating their third-party supplier cyber risk and in how they approach mergers & acquisitions (M&A).  

Two key headline points were raised, namely:

  1. every system is vulnerable, and we must plan for that; and
  2. reliance on third-party providers is always a risk.

If every system is vulnerable, how can companies defend against cyber-attacks? The unfortunate reality is that it seems that while defence should of course be a key focus, companies should also prepare for the inevitable and have a response plan in place to weather a significant cyber security incident. 

ASIC recommend that companies should ensure they have a thorough and comprehensive plan in place for significant cyber security incidents and a clearly thought-out risk management strategy.  

For listed companies that are familiar with regulated M&A, structuring that plan may result in companies creating a manual similar to that used in a takeover defence. The manual would look to have detailed contingencies in place for conceivable scenarios, an identified response team, a template holding-statement announcement in respect of a cyber-attack, and the telephone cascade that is immediately initiated upon the occurrence of an incident. 

As to the second matter raised by ASIC, ASIC make the point that none of us have control over the security of a third-party provider and that their initial findings from a survey conducted make it clear that one of the weakest links in cyber preparedness is third-party suppliers, vendors and managed services providers. An evaluation of third-party supplier cyber risk should be another key area of focus for companies.  

ASIC go on to note that cyber security and resilience are not merely technical matters on the fringes of directors’ duties, but that directors should specifically ensure their organisation’s risk management framework adequately addresses cyber security risk and that controls are implemented to protect key assets and enhance cyber resilience. ASIC explain that failing to do so could mean not meeting regulatory obligations and that if cyber security is not given sufficient priority, directors may be exposed to potential enforcement action by ASIC based on the directors not acting with with reasonable care and diligence (refer section 180(1) of the Corporations Act 2001 (Cth)). 

How to reduce third-party risk

It is clear that you cannot rely solely on the security measures put in place by your third-party suppliers.

ASIC provide three non-exhaustive ideas that companies can adopt to protect against cyber vulnerability:

  1. Never set and forget.
  2. Plan for and test for attacks.
  3. You can’t protect what you aren’t aware of.

Never set and forget

Supply chain and vendor risk is not a passive matter and an active approach to engaging with this risk early and often will assist companies and directors in mitigating risk.

We would add that the data security practices adopted by a third-party vendor at the time of entering into a services agreement are unlikely to be sufficient five years into the engagement. Suppliers should be obligated to regularly reassess and improve their security practices and clearly communicate any changes with their customers.

Planning and testing

ASIC ask a series of questions which boards and companies would be wise to consider and engage with:

  • Do you know how you would communicate with your customers, the regulators and the market when things go wrong?
  • Do you have a clear and comprehensive response and recovery plan? Has it been tested?
  • How will the company detect if the system has been broken, or exploited?

As noted above, putting in place a tailored ‘cyber defence manual’ (including a comprehensive and up-to-date data breach response plan) would assist a board and a company in addressing a fair number of these questions. Similarly, having regular penetration testing of systems and infrastructure can assist in identifying weaknesses that may be exploited.  

It is important to note that cyber security transcends malicious code and hacks occurring through the internet or networks and that staff training is also provided so that employees are vigilant against physical cyber attacks perpetrated through social-engineering (i.e., granting access to secure premises to the person wearing a high-vis vest and carrying a clipboard). 

You can’t protect what you aren’t aware of

Almost half of the respondents to ASIC’s cyber pulse survey indicated that they don’t identify critical information and business critical systems. As ASIC point out, if these systems and information are not identified, then they cannot be protected (e.g., by ensuring ‘need to know’ access only).  

M&A Risk

Cyber risk should also be contemplated in the process of M&A. A cyber incident can theoretically impact any stage of the acquisition process, including:

  • in the pre-deal phase or prior to completion where an attack on the acquisition target can destroy the value in the purchase price or trigger a ‘material adverse event or change’ clause leading to an acquirer walking away from a transaction; and
  • post-transaction, where a pre-completion cyber incident is identified leading potentially to claims against warranties and indemnities (or against the provider of warranty and indemnity insurance in certain transactions). 

How then, should companies identify cyber risk in their due diligence processes? Well, there is no one size fits all approach, however consideration may be given to:

  • reviewing and understanding the existing practices and policies that the target entity has put in place to manage cyber risk (and undertaking an assessment of the viability of such processes, including whether they are being followed or are merely a ‘set and forget’ process);
  • performing diligence with an appropriate external advisor on the systems and existing infrastructure in an effort to understand vulnerabilities; 
  • obtaining copies of any insurance coverage that is maintained; 
  • updating due diligence questionnaires to cover off on cyber risk, by asking questions surrounding:

- any prior cyber incidents (data leaks, ransomware incidents or similar) or knowledge of matters that may lead to a cyber incident;
- the audit processes that have previously been undertaken and are planned;
- the third-party supply chain risk that exists;
- whether there are procedures in place to mitigate against an incident and understanding whether clearly defined roles exist in that mitigation strategy. 

While not the subject of this article, it is important also to keep in mind that effective data security practices anticipate far more than securing data against malicious cyber attacks, and there are many other ways personal information or commercially sensitive data can be compromised. It is equally important to ensure measures are in place to address inadvertent disclosure or loss of data, which may also constitute a notifiable data breach under both the Australian and overseas privacy and data protection regimes.

For more information and to ensure your company is protected, reach out to HopgoodGanim’s Intellectual Property, Technology and Cyber Security team and M&A team.