View Articles
Comments
The Resolution

Centro and technology disasters: When are directors liable?

Most Australian company directors are very aware of the Centro case. The case has very clear implications for how directors deal with and review the company accounts. But I think the broader implications of this case are too frequently missed. More than just financial accounts, Justice Middleton’s judgment sets down how directors must deal with a range of complex issues that go to the survival of the company.

Get an unfair advantage

The best from The Resolution, delivered to your inbox every month.

Most Australian company directors are very aware of the Centro case (ASIC v Healey & Ors [2011] FCA 717). The case has very clear implications for how directors deal with and review the company accounts.

But I think the broader implications of this case are too frequently missed. More than just financial accounts, Justice Middleton’s judgment sets down how directors must deal with a range of complex issues that go to the survival of the company.

In this article I want to explore the implications for technology and cybersecurity. When the next large company implodes because of a technology or cybersecurity failure, what are the courts likely to expect of directors? Will directors who rely solely on the advice of experts be found negligent, like in the case of Centro?

Looking at these issues, this article has two main sections:

1. The general implications of the Centro case for how directors must discharge their duties in the face of complexity

2. The specific implications of the Centro case for how a board deals with technology

Section 1: The general implications of the Centro case for how directors must discharge their duties in the face of complexity

It is widely understood by company directors that they must scrutinise company accounts. If they were in any doubt about this responsibility the 2011 Centro Case in the Federal Court of Australia put this beyond question.

Justice Middleton in the Centro Case informed company directors that they are not expected to be accounting standard gurus or financial wizards but they must be able to apply their considerable knowledge of their company’s operations. They must take all reasonable steps exercising the degree of care and diligence the law requires of them, to sign off the annual accounts.

He concluded that whilst there are many matters a company director must focus upon, the financial statements must be regarded as one of the most important.

There are duties that can’t be delegated

Justice Middleton saw the central question in the Centro case as being whether directors of substantial publicly listed entities are required to apply their own minds to, and carry out a careful review of, the proposed financial statements and directors’ report. They could not substitute this requirement with reliance on others such as management or external advisers. 

Was it necessary for directors to determine that the information that the financial statements and directors’ report is consistent with their knowledge of the company’s affairs, and that there is no material omission of matters known to them or that should be known to them?

This is a substantial responsibility and one that the court found could not be delegated to auditing, accounting or financial experts.

Middleton J went on to find that the significant matters (loans that had to be refinanced within 12 months) not disclosed were well known to the company directors, or if not well known to them, were matters that should have been well known to them. If they had understood and applied their minds to the financial statements and recognised the importance of their task, each company director would have questioned each of the matters not disclosed.

He reached his opinion taking into account that production of the annual financial statements was "a massive project – 65 documents with 93 sets of complex financials at an average of 50 pages each equates to over 3,000 pages in total" clearly a huge amount of information for the members of the audit committee to read and understand.

Complexity and volume are not acceptable excuses

Whilst it was argued that ASIC relied solely on two pages of the CER 2007 Business Plan, and those two pages formed part of a Board pack of more than 1180 pages, Middleton J found that the board can control the information it receives. If there was an information overload, it could have been prevented. If there was a huge amount of information, then more time may need to be taken to read and understand it.

The key takeaway is that the complexity and volume of information cannot be an excuse for failing to properly read and understand the financial statements.

Middleton J held a director should acquire at least a rudimentary understanding of the business of the corporation and become familiar with the fundamentals of the business in which the corporation is engaged. A company director, whilst not an auditor, should still have a questioning mind. A director, whatever his or her background, has a duty greater than that of simply representing a particular field of experience or expertise.

But directors aren’t required to be infinitely knowledgable

But Middleton J did state there are limits by writing, "nothing I decide in this case should indicate that directors are required to have infinite knowledge or ability.”

That is perhaps some relief for company directors. But how much knowledge of matters outside their primary area of expertise must a director address, and where does the duty to pay attention rest?

Middleton J states what each director is expected to do is to take a diligent and intelligent interest in the information available to him or her, to understand that information, and apply an enquiring mind to the responsibilities placed upon him or her.

A reading of the financial statements by the directors is not merely undertaken for the purposes of correcting typographical or grammatical errors or even immaterial errors of arithmetic. The scrutiny by the directors of the financial statements involves understanding their content. The basic concepts and financial literacy required by the directors to be in a position to properly question the apparent errors in the financial statements were not complicated.

Middleton J concluded "a director is expected to be capable of understanding his company’s affairs to the extent of actually reaching a reasonably informed opinion of its financial capacity. Moreover, he is under a statutory obligation to express such an opinion annually... it follows that a director is required by law to be capable of keeping abreast of the company’s affairs." (emphasis added)

It is important to understand that the Corporations Act imposes ultimate responsibility for those matters (approving the financial accounts) upon the directors in a way that they cannot delegate. They must themselves determine to adopt the required resolution.

This is not to say that directors are not entitled to seek assistance in carrying out their responsibilities, and may rely on others. For instance, directors are entitled to rely upon declarations by the CEO and the chief financial officer, such as made pursuant to s 295A of the Act. Section 295A says that in the case of a listed entity, the directors’ declaration for a full financial year must be made only after each person who performs a chief executive function or a chief financial officer function has given the directors a declaration.

In the Centro case, all the directors failed to see the ‘obvious errors’ because they all took the same approach in relying exclusively upon those processes and advisors. No director stood back, armed with his own knowledge, and looked at and considered for himself the financial statements.

Justice Middleton considered that all that was required of the directors in this proceeding was the financial literacy to understand basic accounting conventions and proper diligence in reading the financial statements. The directors had the required accumulated knowledge of the affairs of Centro, based upon the documents placed before them and discussion at board meetings. Each director then needed to formulate their own opinion, and apply that opinion to the task of approving the financial statements.

Section 2: The specific implications of the Centro case for how a board deals with technology and cybersecurity

There is little doubt that technology and cybersecurity failures have the capacity to destroy organisations. So what can Justice Middleton's findings in the Centro case about financial accountability for boards do to assist us with how the board should treat technology and cybersecurity?

Applying Justice Middleton’s words “A director, whatever his or her background, has a duty greater than that of simply representing a particular field of experience or expertise and they should be accountable for all matters that go to the survival of the enterprise.”

So should we be surprised in the future if a court finds company directors have a duty to understand technology and cybersecurity if these matters go to the very survival of the enterprise? I would argue that it’s hard to read the Centro judgment in detail and come to any other conclusion.

It is important that we take care when extrapolating any particular court decision (particularly one dealing with a different fact pattern), as any future court case will inevitably be decided according to the particular circumstances before the judge.

However, it is certainly reasonable that company directors need to question the information provided to them by management, and they must turn their minds to risks affecting the business generally.

I think the risk of security breaches has to be on the list of matters considered by all boards, particularly as the possible impact and opportunity is only increasing. The number of threats and scale of the consequences grows year-on-year.

In the same way that the financial statements go to the very viability of the enterprise, technology and cybersecurity increasingly go to the survival of every company.

It is obvious that just as the decisions of the board of Centro were examined by the Federal Court when Centro failed, if and when a major technology or cybersecurity failure causes the complete destruction of an enterprise the decisions of that organisation’s board will also be examined by the courts.

In this light, how can the tasks required of a company director in properly governing technology and cybersecurity be best guided by the findings of Justice Middleton in the Centro Case?

The courts are likely to find the directors must take all reasonable steps required of them, and they must act in the performance of their duties as company directors exercising the degree of care and diligence the law requires of them.

The real question will be what degree of care and diligence will the courts place on directors with respect of technology?

Will directors of substantial publicly listed entities be required to apply their own minds to, and carry out a careful review of the technology reports to determine that the information they contain is consistent with the director’s knowledge of the company’s affairs, and that they do not omit material matters known to them or material matters that should be known to them?

Or will the courts allow directors to rely on experts, particularly given the absence of a specific legal requirement imposed on directors (as was the case in Centro with the requirement to approve accounts)?

Complexity is not an excuse (for finance, or for technology)

In the Centro case, the Federal Court found that company directors must master Board packs of more than 1180 pages (and that boards can control the information they receive or demand more time to process the information). The court made it clear that the complexity and volume of information cannot be an excuse for failing to properly read and understand the financial statements.

So in a similar circumstance, why would the complexity and volume of information excuse a company director from understanding the complexity or volume of information in matters of cybersecurity and technology?

An infinite knowledge or deep expertise in technology is not required of the board to effectively govern technology. Rather the board is required to have a rudimentary understanding of the business of the corporation and to be familiar with the fundamentals of the business. Setting an appetite for risk and innovation requires the board to possess an appreciation for how technology can enhance the value of the organisation.

It does not take a career in technology for a company director to be able to think about a catastrophic scenario where technology could cause havoc for their enterprise. An example might be where India is isolated from the rest of the world and this major provider of IT outsourcing and professional services to your company can no longer provide these services. This is very similar to what happened when OPEC refused to supply oil to the world in 1974 or when all the major banks stopped lending during the GFC.

It is important that boards have the structure and capability to ensure that their organisation can deal with such an extreme situation. Do the board, board sub-committees and technology bodies that are in place know about the impact, likelihood and consequence of such a catastrophe?

Just as in approving financial accounts company directors must be able to understand technology proposals and reports so that they can ask basic questions that get to the heart of the risk of any technology proposal or cybersecurity report.

You don’t need to be a mechanic to drive a car

To drive a car safely does not require the driver to be a knowledgeable mechanic but it does require the driver to have real familiarity with the controls, operating conditions and fuel required for the journey.

Company directors need to be familiar with the financial controls, operating conditions and financial resources required to run the enterprise. The 2011 Centro ruling cautions directors and especially chairmen they need to be more hands on in a rather technical sense if they are to avoid penalties from the corporate regulators in the event of a collapse.

In conclusion: Finance goes to the heart of corporate survival, so does technology

The next ‘Centro’ case may well focus on a case where technology or cybersecurity is the cause of an organisation’s collapse (or broader damage to society).

Because ultimately, the Centro case tells us that boards cannot simply delegate responsibility for issues that go to the survival of the company. Given that technology is as much of a central importance to almost all companies as finance is, board members must read, understand and focus on it.

With that in mind, I’d argue that at a minimum all directors must be able to:

  • Read and understand all technology proposals put to the board.
  • Ask questions and obtain advice if there are doubts or concerns.
  • Question management assurances. Can they determine if management has presented the most important alternatives in how to achieve the best results? Do they have a real understanding of the various trade-offs identified between each of the most important alternative approaches?
  • Explain the relevant elements of management assurances around these technology alternatives to shareholders and appropriate external stakeholders.
  • Know if there’s critical technology risks or assumptions that aren’t being discussed by management. They must have an independent understanding of the possible threats and opportunities.

Comments

The Resolution is proudly sponsored by:
Helping our clients make an impact that matters
600 partners and more than 6000 people located in 14 offices across Australia - Delivering audit, economics, financial advisory, human capital, tax and technology services.