Protecting Your Corporate Keys
In an era of online banks and ASIC Corporate Keys, the management of access to your company's digital platforms, which are often critical to your operations, is an essential element of good governance practices. When not managed appropriately, the consequences can be significant.
What's At Risk?
Australian courts have seen a series of recent cases where directors or others with access to ASIC Corporate Keys have 'gone rogue' and manipulated details of the company on the official register of the Australian Securities & Investments Commission.
An ASIC Corporate Key is a unique 8-digit number issued by ASIC and linked to a specific company. The ASIC Corporate Key acts like the PIN for a bank account and allows the holder to update the company's ASIC records.
The problem is that anyone with access to the ASIC Corporate Key is able to change company records online including details of the company's shareholders and directors. This can in turn enable a form of corporate identity theft as third parties are liable to rely on the incorrect information on the official register.
In one recent case1, an accountant abused his access to the ASIC Corporate Key for the corporate trustee of a self-managed superannuation fund. The accountant changed ASIC's records to list another person as the sole director, secretary and shareholder of the company. That person then purported to execute documents on behalf of the company in favour of certain associates. Legal proceedings were necessary to reinstate the original director and shareholder's control of the company.
In another recent case2, a man used the ASIC Corporate Key to lodge forms with ASIC removing his ex-wife as the sole director of a company that owned certain restaurants, appointing himself in her place and recording a transfer of a majority interest in the company from her name to his. The ex-wife was forced to resort to litigation to rectify the register and take back control.
While these recent cases have focussed on ASIC Corporate Keys, imagine what a disgruntled employee could do to your reputation with access to your social media accounts or website? Or with the log in details for your bank account?
What Should Companies Do To Manage The Risk?
Companies should have policies in place to govern access to key digital assets such as ASIC Corporate Keys and similar passwords.
Risk managers should assess the risks associated with different systems, and consider their ability to disrupt business, creating a form of hierarchy to their access.
There are a number of factors that will determine the level of risk attached to these platforms.
In the example of the ASIC Corporate Key, there are three key risk elements to consider:
- Third parties rely on details of shareholders and officers recorded on the ASIC register when dealing with companies, and false information can allow imposters to claim ownership and control of the company.
- Litigation is likely to be the only remedy if unauthorised changes are made to the ASIC register.
- It can be difficult to attribute changes made using an ASIC Corporate Key to a specific individual as the changes are deemed to have been made by the company itself.
As such, we recommend tightly limiting access to ASIC Corporate Keys, particularly as most companies only need to update their information on the ASIC register infrequently, and any updates should generally only be made with the direct involvement of senior officers.
While access to some systems will need to be tightly controlled, there can also be risk if access is concentrated in a single person. We have recently advised on a situation involving a CEO who refused to hand over passwords to critical cloud computing systems when they were terminated. Similar issues could arise if a key person was incapacitated or died.
Companies should also maintain a digital asset register, with details of all employees, directors and external service providers who have access to critical business information such as:
- ASIC Corporate Keys
- Banking passwords and PINs
- Passwords to social media accounts
- Administrator access to cloud storage systems, accounting systems and domain names.
This register should be reviewed regularly to ensure management and the board are comfortable that the spread of business critical information is appropriately controlled.
A register is particularly important where there are complex corporate structures and multiple ASIC Corporate Keys or other digital assets to manage.
Responding To Information Breaches or Risks
It is important to be proactive when employees, directors or service providers change. Changing passwords and access where and when necessary.
If public information on your company is changed, you'll want to be immediately notified. Ensure you take advantage of ASIC's notification system and consider what other media scanning and alerts your business might want to put in place to recognise when your information has been tampered with.
If there are suspicions that an ASIC Corporate key has been misused or abused, seeking advice is important to ensure the issue can be appropriately managed.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.