A government plan to hold company directors accountable for their inability to manage cybersecurity risks has garnered little support from industry, with AWS, L’OrÃ©al and Telstra particularly critical of any imposition of specific cybersecurity obligations on directors.
The proposal, purchased in July, could see voluntary or mandatory cybersecurity governance and accountability standards applied to companies and directors.
The government of the day seemed to favor a voluntary program, developed jointly with industry, and this also seemed to be the most acceptable option for industry, if such action was to continue.
However, several large companies have warned that specific cybersecurity leadership tasks are unlikely to improve board-level oversight of cybersecurity risks and could in fact lead to conflicts of interest.
“Mandatory cybersecurity governance standards or specific director tasks won’t do much to improve [the] Knowledge gap [of knowing that there is a risk and knowing how to address that risk,â Amazon Web Services (AWS) A/NZ said in a submission. [pdf]
âAt its core, cybersecurity is a business risk and is already part of a manager’s existing duties.
âInstead, we believe business administrators, senior executives and other managers need training and support to understand how to effectively manage their cybersecurity risks.
“A voluntary code can help administrators make more informed investment decisions, but we caution against overly prescriptive codes that emphasize compliance with prescriptive technical controls at the expense of an overall asset management strategy. risks. “
Cosmetics maker L’Oreal Australia – perhaps a surprise bidder – has gone further and asked for the protection of admins who are forced to deal with active cyber attacks and ransom demands.
Her legal counsel for privacy and data protection, Jessica Amos, recommended “that the government consider the introduction of safe harbor laws for directors and officers of companies who are victims of ransomware or cybercrime. similar attack and decides not to pay any ransom, when the company has acted reasonably regarding its cybersecurity stance.
“We believe that any action taken by the government on cybersecurity should take into account the impact of penalizing companies that are themselves victims of a cyber incident,” L’OrÃ©al Australia said. [pdf]
âDirectors and officers are often placed in confrontational positions, where crushing the pressure of time can push an interpretation of their duty to the company to force the payment of ransoms to avoid potentially dire consequences.
âWe recognize that from a moral, ethical and long-term perspective, the right choice may be to refuse to pay the ransom to deter further attacks.
âThis can happen even to organizations that have carefully invested and appropriately managed their cybersecurity postures.
âBy providing directors and officers with the certainty that any decision to refuse to pay a ransom will not result in personal liability, the government can help raise the public policy imperative not to pay a ransom.
“This will remove the incentive for ransom attackers to continue operating by limiting the potential negative consequences for companies that behaved appropriately and yet were the unfortunate victims of a criminal attack.”
Telstra, on the other hand, saw the existing leadership functions as reason enough for boards to adequately deal with cybersecurity risks.
“Directors and officers of listed companies need to understand and continually reassess existing and emerging risks that may apply to the business of the company,” said Telstra. [pdf]
âThese existing obligations and responsibilities are sufficient and provide appropriate enforcement mechanisms.
âThe generic (and principled) approach to director obligations provides an appropriate and sufficiently flexible framework to assess cybersecurity risks and their appropriate mitigation measures.
“We believe government has a role to play in producing clear guidance on how business administrators should view cyber risk and in developing some ‘best practice’ approaches to mitigate cyber risk. -risk. “
Other major technology players, including Facebook, IBM and Google, supported voluntary standards established with industry cooperation, and which were âflexibleâ enough to respond to the evolving nature of the cybersecurity arena.