BEARing Responsibility for Cyber Security in Australian Financial Institutions: The Rising Tide of Directors’ Personal Liability
Journal of Banking and Finance Law and Practice, Vol 30, Iss 1, 2019: 20-42
35 Pages Posted: 2 Jan 2019 Last revised: 13 May 2019
Date Written: December 17, 2018
The Banking Executive Accountability Regime was enacted in February 2018; a month later the Australian Prudential Regulation Authority released a consultation draft of its new Prudential Standard CPS 234 on information security. It requires that an APRA-regulated entity ‘clearly define the information-security related roles and responsibilities of the Board and of senior management, governing bodies and individuals’. This article considers the implications of these related developments for individual directors of financial institutions that experience cyber security breaches related to customer data, systems or infrastructure. It concludes that these developments set a hard floor under community and regulator expectations of directors’ role in ensuring that adequate cyber security measures are adopted, that flows through to the standard of care required of them.
Keywords: Cyber Security, Cybersecurity, Directors' Duties, Banking, BEAR
Suggested Citation: Suggested Citation