September 20, 2019 Writing in English
Major Cyber Attack and Directors Duty to Prevent Insolvent Trading
In preparing for a LinkedIn article on Directors Duties related to a major CyberSecurity incident, I needed to get my head around the link between a Major CyberSecurity incident and the risk of Insolvent Trading under Section 588 of the Corporations Act.
The Australian Institute of Company Directors (AICD) provides sound guidance as part of its Directors Tools – Insolvent Trading Duties of Directors (link to this guide below).
This guide references fifteen warning signs of insolvency (as outlined in the Australian Securities and Investments Commission’s (ASIC’s) Regulatory Guide 217 – Duty to Prevent Insolvent Trading: Guide for Directors (2010), Table 2).
I note, however, that these relate to existing warning signs rather than potential warning signs (e.g., in the context of a future major CyberSecurity or Data Loss incident).
It is sobering to consider what major CyberSecurity incidents (albeit UK- and US-based) are telling us:
1) InfoTech Article (link below): According to a survey commissioned by VIPRE, “66% of SMBs would shut down or close if they experienced a data breach.”
In 2016, the US National Cyber Security Alliance presented similar findings. The organization found that 60% of small businesses can’t sustain their business over six months after an attack.
2) The register.co.uk article (link below) “Hacked US medical debt collector AMCA files for bankruptcy after hack” asserts that “the healthcare debt collector ransacked by hackers, who gained access to millions of patients’ personal information, has filed for bankruptcy protection.”
Perhaps it is not such a long bow to consider a major CyberSecurity incident in the context of insolvent trading risk, as well as directors’ duties under Section 588 of Corporations Act.
Section 588 Directors Duty to Prevent Insolvent Trading
The Australian Institute of Company Directors (AICD) provides sound guidance as part of its Directors Tools:
“Section 588G sets out a director’s duty to prevent insolvent trading by a company. Under this section, a director has a duty to prevent insolvent trading where:
he or she is a director of the company at the time the company incurs a debt; and the company is insolvent at that time (or becomes insolvent by incurring that debt or by incurring at that time debts including that debt); and at that time there are reasonable grounds for suspecting that the company is insolvent or would become insolvent.
In the instance that the director fails to prevent the company from incurring debt in the circumstances set out above, the director contravenes 588G of the Corporations Act 2001 if:
the director is aware at that time that there are such grounds for suspecting the insolvency; or a reasonable person in a like position would be so aware.
Further, the director commits an offence if the failure to prevent the company incurring the debt was ‘dishonest’ (s 588G (3)).
The onus of proof is on the person trying to make a director liable for insolvent trading.”
InfoTech Article: “66% of SMBs would shut down or close if they experienced a data breach”
“In the event of a serious data breach, 66% of SMBs would either go out of business completely, or be forced to shut down for at least a day, according to a Monday report from VIPRE. This would happen regardless of whether systems or data were compromised, according to a press release announcing the report.
The survey commissioned by VIPRE took responses from some 250 SMB IT managers. In 2016, the US National Cyber Security Alliance presented similar findings. The organization found that 60% of small businesses can’t sustain their business over six months after an attack.”
Delicious irony: Hacked US medical debt collector AMCA files for bankruptcy protection from debt collectors
“The healthcare debt collector ransacked by hackers, who gained access to millions of patients’ personal information, has filed for bankruptcy protection.
Retrieval Masters Creditors Bureau, aka American Medical Collection Agency, told the Southern New York US District Court this week that it was seeking chapter 11 bankruptcy protection.
In the fallout of the hack, Quest and Labcorp bore the brunt of public scrutiny and scorn from US Congress, however, as we now see, AMCA has also taken a hit from the cyber-heist, one significant enough to put its future in doubt.”
John is an experienced IT Governance professional who assists businesses to drive value from their investment in technology. This includes the innovative FastTrack CyberSecurity™ Program. He also lectures in Ethics and Governance and Finance Data Analytics to University Masters students.
He is highly qualified and has over thirty years’ experience as an IT Compliance, Risk and Governance specialist. This includes eleven year as Executive Director, Risk Advisory (Technology) in a large international accounting firm with a specialist Risk Advisory Services practice.