Big changes are coming for small business, with directors to shoulder greater legal responsibilities.
The planned removal of Privacy Act exemptions for small businesses means cyber attacks that access customer data could leave company directors exposed if regulators believe they have failed to take adequate steps to prevent and handle threats.
Under the Corporations Act 2001, directors have a duty to act with care and diligence to guard against key business risks. While financial and legal risks have traditionally been prioritised, cyber security has now emerged as the pre-eminent threat.
For small businesses, it is a particularly thorny issue as many lack the expertise and budgets of larger companies, but they may soon be held to a similar standard.
To help directors of small business better understand and address their risks and responsibilities, the Australian Institute of Company Directors (AICD), in collaboration with the Australian Information Security Association, has prepared a simple guide that includes advice on low-cost risk control measures.
The 20-page Cyber Security Handbook for Small Businesses and Not-for-Profit Directors explains:
Launching the handbook, AICD director and CEO Mark Rigotti said it was not uncommon for those leading small businesses to feel overwhelmed by constantly evolving risk in a high-tech space. However, not having specialised knowledge did not reduce the legal onus on directors to address risk with reasonable care and diligence.
“Cyber security is one of the biggest challenges facing organisations of every size, but small organisations face an even greater challenge having to routinely juggle priorities with constrained human and financial resources,” Mr Rigotti said.
The AICD handbook is a good starting point for directors of smaller entities and can be used in conjunction with the institute’s SME Directors’ cyber security checklist found here.
It is important for business leaders to bear in mind they are not expected to eliminate risk, but responsibly manage it. In 2022 the Australian Securities and Investments Commission launched its first successful prosecution of a company for failing to adequately manage cyber risk and in handing down judgement in the case Justice Helen Rofe said: “It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”
The new AICD-led handbook for SME directors forms part of a suite of programs aimed at bringing small businesses up to speed on cyber security ahead of flagged changes to the Privacy Act. These education initiatives include the Federal Government’s free cyber wardens training program for small business and the Australian Signals Directorate’s Essential Eight.
At present, most small businesses with turnover of less than $3 million are exempt from the Privacy Act. However, a two-year Privacy Act Review completed in 2023 recommended this general exemption – granted in 2000 when SMEs posed a low privacy risk – be scrapped in light of the vast amounts of consumer information many small businesses now store digitally, along with a community expectation it be protected to a reasonable standard.
The Government has agreed in principle to this change, however, it has stipulated it will not occur before:
Further information and resources:
AICD’s General Duties of a Director and Cyber Security Governance Principles