Key Points:
The ASIC report suggests that licensees regulated by ASIC should be conducting a "health check" of their cyber resilience.

The Australian Securities and Investments Commission (ASIC) has released a report titled "Cyber Resilience: Health Check".

The report recommends that regulated entities review and update cyber-risk management practices. To assist in this process, ASIC suggests a health check on "cyber resilience" which ASIC defines as the ability to prepare for, respond to and recover from a cyber attack.

"Effective cyber resilience requires initiative and a commitment of resources to assess and develop appropriate strategies, including planning responses to a cyber attack. You should seize the opportunity to assess your threats and vulnerabilities now, and understand where and how your most valuable information is held. Through that assessment, you can prioritise resources to mitigate the risk of being affected disproportionately by a cyber attack." [emphasis added]

What is the report's purpose?

The purpose of the report is to:

  • increase awareness of cyber risks;
  • encourage collaboration between industry and government; and
  • identify how cyber risks should be addressed as part of current legal and compliance obligations that are relevant to ASIC's jurisdiction.

The "health check prompts" are provided to help entities regulated by ASIC consider their cyber resilience. This is particularly significant for Australian financial services licensees. However, ASIC goes on to address the importance of cyber resilience for corporations and listed entities generally. It is clear that the regulator recognises that cyber risk issues extend to a broad range of organisations and industries. The report contains guidance for small-to-medium sized businesses, all the way through to major financial institutions and major infrastructure providers

What are some key regulatory and compliance matters in the report?

There are a number of key regulatory and compliance matters raised by the report. These include:

  • confirmation by ASIC that cyber risk is a key issue for AFS licensees who are expected to have in place adequate risk management systems and resources;
  • ASIC's expectations that cyber risks may need to be disclosed in a PDS and that a cyber attack may trigger Corporations Act breach reporting requirements;
  • the highlighting of corporate disclosure requirements for corporations and listed entities, including the possibility that a cyber attack may need to be disclosed as market sensitive information;
  • the expectation that directors may need to take cyber risks into account when discharging their duties to consider risk management issues and that the board should be actively engaged in managing cyber risks;
  • an explanation of the relevance of cyber risks to Australian credit licensees, Australian market licensees, clearing and settlement facility licensees, Australian derivative trade repository licensees, market participants and the responsible entities of a managed investment schemes.

What other regulatory issues should be considered?

Following a recommendation by the Parliamentary Joint Committee on Intelligence and Security's Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Australian Government has agreed to introduce a mandatory data breach notification scheme to be effective by the end of 2015. This expected regulatory reform to the privacy legislation has potentially significant implications for entities which suffer data breaches.

If the Privacy Act is amended to require mandatory notification of serious data breaches to the Office of the Australian Information Commissioner (OAIC) and affected customers, we expect that significant data breaches arising from cyber attacks could engage regulatory attention from both the OAIC and ASIC. There will be reputation and cost implications for organisations dealing with major data breach issues.

What should organisations be doing to manage cyber risk?

The ASIC report suggests that licensees regulated by ASIC should be conducting a "health check" of their cyber resilience. It emphasises the need to comply with privacy legislation, highlighting the OAIC's "Guide to Information security: ‘Reasonable steps’ to protect personal information and Data breach notification guide: A guide to handling personal information security breaches". ASIC also encourages businesses to take a number of specific actions regarding cyber risks, including:

  1. to identify and monitor cyber risks
  2. to actively monitor trends in cyber risks and adapt to new cyber risks as they arise
  3. to let their customers and clients know if their personal data has been compromised
  4. to take responsibility for improving their cyber resilience
  5. to consider using the NIST Cybersecurity Framework [1] to the help the business develop cyber resilience in a proportional way, particularly where their exposure to a cyber attack may have a significant impact on financial consumers, investors or market integrity
  6. to report cybercrime and cybersecurity incidents to relevant government agencies
  7. to consider using a CREST Australia [2] approved member organisation to help test existing IT systems, processes and procedures to ensure that they respond well to cyber risks
  8. if it is regulated by ASIC, to mitigate cyber risks by, at a minimum, implementing the ASD's[3] four highest-ranked mitigation strategies
  9. if it is regulated by ASIC (and, particularly, if a licensee), to address cyber risks as part of their legal and compliance obligations – including risk management and disclosure requirements
  10. if it is an AFS licensee, to review the adequacy of their risk management systems and resources to address cyber risks.

Finally, ASIC notes that considering cyber insurance may be an appropriate business decision based on a company's risk profile. We have written about the importance of considering the management of cyber risk through the use of insurance in "The new frontier: Cyber risk management and insurance".

ASIC's report concludes that cyber resilience is a high risk area and will be considered in ASIC's surveillance programs across its regulated population. The issue of cyber risk is now firmly on the regulatory radar and should be front of mind for companies and their directors in almost all sectors of the economy, but most notably those regulated by ASIC's licensing regimes.