Directors Responsibilities in NZ Amid Cyber Threats

In today’s digitally driven world, cyber breaches pose significant threats to businesses, emphasising the importance of directors’ roles in managing such incidents. This article covers director duties and liabilities withing the context of cyber resilience in New Zealand.

What are directors’ duties?

The cornerstone of New Zealand’s corporate regulatory framework lies in the Companies Act 1993 (Companies Act), which outlines the responsibilities of directors towards company management.

However, while the Companies Act promotes good governance, it lacks specific directives concerning cyber incident management and resilience. Nonetheless, directors are expected to uphold general duties, which can be applied to cyber incidents.

Under the Companies Act, directors are obligated to exercise their powers with care, diligence, and skill (s137). They must act in good faith and in the best interests of the company (s131), ensuring that their actions align with the company's objectives. Further, directors must exercise their powers for a proper purpose (s133), avoiding irrational decision-making.

Despite the absence of explicit guidelines for cyber incidents, established case law emphasises factors like the nature of the directors’ responsibilities, consideration of the company’s best interests beyond financial matters, and alignment of risk management controls to effectively safeguard the organisations assets.

The Institute of Directors NZ (IOD) further supplements these guidelines by highlighting key principles for effective cyber incident management and resilience (see here).

Are there sector specific obligations?

Yes – in addition to statutory obligations (e.g. Companies Act, Privacy Act 2020 obligations etc), regulatory bodies like the Financial Markets Authority (FMA) and the Reserve Bank of New Zealand (RBNZ) provide guidance tailored to specific industries.

For instance, the FMA mandates effective cyber security controls and post-incident reporting for financial market participants,[1] while the RBNZ offers high-level recommendations for cyber resilience in the banking and insurance sectors.[2]

Can you bring a claim for breach of duties?

Yes – but different stakeholders have different rights. For example, claims can be brought against directors for potential breaches by the company itself, shareholders of the company, liquidators on behalf of the company and regulators.

While breaches of director duties carry significant consequences, legal avenues for redress are often complex. For example, shareholders may initiate derivative actions on behalf of the company against directors, albeit with stringent criteria and limited scope. Likewise, actions by companies themselves are contingent upon regulatory provisions and adherence to industry standards.

So, what is changing?

In the wake of the ASIC v RI Advice case in Australia, there now is a clear pathway for regulatory bodies to pursue claims against directors who neglect their obligations in managing cyber incidents efficiently.[3]

In this case, the Court decided that RI Advice Group Pty Ltd (RI Advice) had contravened its obligations as the holder of an Australian Financial Services Licence (AFSL)[4] under the Corporations Act 2001 (Cth) (Corporations Act) by failing to have appropriate cyber security controls and cyber resilience in place to manage its own cyber risks, and cyber risks across its network of authorised representatives. The case is detailed more extensively here.

This was the first ruling holding a financial institution in breach of the law for inadequate cyber resilience in Australia. Significantly, whilst this case was brought by ASIC as a breach of RI Advice’s AFSL obligations, it could have also been brought against the directors as a breach of their directors’ duties under the Corporations Act. This concept is referred to as “stepping-stone liability”.

In the Australian context, ASIC has increasingly pursued “stepping-stone liability” cases where directors or officers are held personally liable for failing to prevent their company's legal breaches. This is a risk for all entities and not just those that hold an AFSL. It signals that regulatory bodies like ASIC (e.g. the FMA) can now hold directors accountable for failing to manage cyber incidents effectively.

This opens the door for potential claims against directors who neglect their duty of care when dealing with cybersecurity risks, adding another layer of responsibility in the context of corporate governance.

What does this mean for New Zealand directors?

The principles established in ASIC v RI Advice can serve as a benchmark for regulatory bodies in New Zealand when contemplating similar claims here. That said, while this case concerned a financial service provider, it is also relevant to other entities that are subject to similar regulatory obligations of information security.

While New Zealand’s regulatory landscape may differ, the underlying duties of directors remain fundamentally similar across jurisdictions. By drawing parallels between the duties of directors in Australia and New Zealand, regulatory bodies can argue that directors have a duty to adequately manage cyber risks to ensure the fair and orderly operation of their sectors, as mandated by the Companies Act and other relevant legislation.

Therefore, directors who fail to implement effective cyber resilience measures or respond promptly to cyber incidents may be susceptible to claims by regulatory bodies for breaching their statutory duties.

What is the short point?

In essence, the ASIC v RI Advice case serves as a catalyst for regulatory bodies in both Australia and New Zealand to hold directors accountable for managing cyber risks.

This is especially relevant as the frequency and impact of cybersecurity incidents in New Zealand continue to grow, increasing the likelihood that Kiwis will seek redress for data breaches and push regulators to enforce industry standards. For more information on data breaches and class action risks in New Zealand, see our commentary here.

In this context, by leveraging this precedent in New Zealand, regulatory bodies can reinforce the importance of robust cyber resilience practices and encourage proactive engagement from directors in safeguarding the interests of stakeholders and the integrity of their sectors.

Directors should view this case as a reminder to ensure appropriate experts are engaged to assess and implement proper controls that address risks relating to cybersecurity and cyber resilience.

How can we help?

Clyde & Co’s Technology & Media Team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand.

The firm's tech, cyber, privacy and media practice provide an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries and third-party claims, the team assists its clients, inclusive of corporate clients, insurers, insureds and brokers across the full spectrum of legal services within this core practice area.

For more information, please contact Anthony Cooke, Jennifer Robbins, Richard Berkahn, Reece Corbett-Wilkins, John Moran, Stefanie Luhrs or Andrew Brewer.