In brief: Key cyber risks faced by ASIC's 'regulated population', as well as the legal and compliance obligations to manage those risks, are highlighted in a new ASIC report. ASIC also identifies steps entities can take to address the risks. The report marks a growing focus on cyber security issues by ASIC, which is consistent with an increased focus on this area by regulators globally. Partner Michael Morris (view CV) and Senior Associate Simun Soljo report.
- Increasing awareness
- 'Health check prompts'
- Cyber risks
- Data breaches
- Legal and compliance obligations
The Australian Securities and Investment Commission's (ASIC) report, Cyber resilience: Health check, aims to increase awareness of cyber risks and identify opportunities to improve cyber resilience.
ASIC defines cyber resilience as 'the ability to prepare for, respond to and recover from a cyber attack'. It is the 'intended outcome of cyber risk management and cybersecurity measures'. Cyber resilience is growing in importance as a regulatory issue. Cyber attacks are incidents involving the use of technology, networks or computer systems to 'commit or facilitate the commission of traditional crimes, such as fraud or forgery', or attacks on computers and computer systems by hackers or those intending to disrupt services provided through the systems.
The risks of cyber attacks causing major disruption to financial systems is growing, with constant technological development in financial markets and services, and the increasing integration of technology into every aspect of business. A recent survey cited by ASIC found that there was an increase by 48 per cent in the number of cybersecurity incidents from 2013 to 2014, and, according to another industry report, 71 per cent of incidents go undetected.
Cyber attacks can result in significant costs and 'erode investor and financial consumer trust and confidence in the financial system and wider economy'. ASIC notes that, due to 'business, technological and financial interconnectedness', a cyber attack on one organisation can affect other regulated entities and the financial system more broadly. Improving cyber resilience in individual firms can therefore improve the resilience of the financial system as a whole. ASIC believes that cyber resilience is therefore important 'to support investor and financial consumer trust and confidence and ensure that markets are fair, orderly and transparent'.
The report seeks to increase awareness of cyber security risks within the industries regulated by ASIC. It further seeks to 'encourage risk-based and proportionate cyber-resilience management practices'.
Tools are being developed to assist organisations to assess their own level of cyber resilience and to improve it. ASIC is considering developing a cyber risk self-assessment tool based on the US National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework). In ASIC's view, the 'NIST Cybersecurity Framework has particular relevance for our regulated population—specifically financial service providers that operate in a global environment, given the reach and dominance of US markets and the businesses operating within them'. Regulated entities may wish to use the framework to 'assess and mitigate their cyber risks or to stocktake their cyber risk management practices'.
The framework's 'core functions' involve identifying the most critical intellectual property and assets, developing and implementing procedures to protect them, putting in place technology, procedures and resources to detect a cybersecurity breach, and putting in place procedures to both respond to, and recover from, a breach, if and when one occurs. To the extent a cybersecurity breach involves personal information, the NIST Cybersecurity Framework dovetails with the Privacy Commissioner's requirement that organisations develop a data breach response plan as part of their compliance with Australian Privacy Principle 11. For more information about the first enforceable undertaking accepted under the new privacy laws, see our Focus: First enforceable undertaking under new privacy laws.
'HEALTH CHECK PROMPTS'
ASIC sets out in the report a number of 'health check prompts' that may assist regulated persons to review their cyber management practices. A number of these draw on the NIST Cybersecurity Framework. The issues that may be considered include the following:
- Governance issues, such as ensuring board and senior management awareness of cyber risks and that risk management frameworks are in place.
- Identifying essential information and business assets, the cyber risks the organisation is exposed to, the resilience of third-party providers, integration with risk management and procedures, and the level of awareness of the risks within the organisation.
- Reviewing and updating policies and procedures, testing systems, processes and procedures for resilience, and assessing whether the organisation has sufficient resources to comply with its obligations and deal with these risks appropriately.
- Ensuring there is adequate monitoring to detect a cyber attack, and considering whether to engage with other businesses and government in response to threats or attacks.
- Ensuring response planning is adequate, including plans for notifying attacks to law enforcement and other businesses, and notifying breaches of personal information to customers and clients.
- Having in place suitable recovery plans and compliance plans.
- Disclosing cyber risks in prospectuses and product disclosure statements as appropriate.
- Considering how cyber risks affect the organisation's licensing and other legal obligations.
- If the entity provides essential services or is a major Australian business, consider establishing a partnership with ASIC's national computer emergency response team, CERT Australia.
ASIC is seeking feedback on the suggested measures by 31 June 2015.
Businesses face a range of cyber risks as they increasingly move online and become dependent on technology, and as consumers enthusiastically take up digital technology for a range of applications, including for banking and other financial services. The increased use and complexity of the technology may increase these risks.
A key risk is breach of customer data held by regulated entities. ASIC points to recent well publicised incidents of hacking of massive amounts of customer data held by major US companies. While increasing digitisation allows businesses to gather more and more data and to engage in 'big data' analytics, these incidents highlight the risks that come with that opportunity. The Australian Government has announced that it intends to introduce a mandatory data breach notification scheme to be effective by the end of 2015. These will apply to all companies that are subject to the Privacy Act, including regulated financial institutions and will represent a substantial new regulatory burden. For more information, see our Client Update: Data deal – mandatory data breach notification laws to be introduced as trade-off for controversial metadata retention regime.
Before such legislation is introduced, ASIC encourages businesses to let customers know about data breaches. If, how and when this should be done is an increasingly critical issue for regulated entities to consider.
The financial system is considered part of Australia's critical infrastructure, and cyber attacks 'are now considered a system risk for the financial system'. Providers of essential services, such as banks providing payments and access to funds, may have a special role in ensuring continuity of services. Financial market infrastructure is also considered essential, and cyber attacks on that infrastructure is a systemic risk. The increased use of online accounts and trading of financial products has resulted in increased risk of hacking of those accounts, unauthorised access to securities or financial products, and market manipulation.
The report notes the dynamic nature of cyber risks. As technology continues to evolve, so will cyber risks. This requires active monitoring for new risks. It has also led to new forms of protection being offered to businesses, such as cyber insurance, which may fill a gap in existing forms of business continuity or professional indemnity cover, and form a broader part of a business's overall risk management approach. We expect the increased focus on cyber risks and the introduction of mandatory data breach reporting to result in a significant increase in demand for cyber risk insurance in Australia.
LEGAL AND COMPLIANCE OBLIGATIONS
Australian financial services licensees have specific obligations to have adequate resources, including technological resources, and to have adequate risk management systems. These obligations may require the licensee to identify and appropriately manage cyber risks, and the adequacy of technological resources would take into consideration 'IT system security, disaster recovery systems and business resumption capacity'. Other types of licensees have similar obligations. ASIC seems to imply that, at the most fundamental level, the directors of all companies owe duties to act with reasonable care and diligence, and, even in the absence of a specific duty to manage cyber risks, this may be sufficient to require most companies to take steps to address the risks in order to comply with those duties. The obligations that apply to various types of entities and licensees are summarised by ASIC in Appendix 2 of the report.
ASIC states that '[c]yber resilience is an area of ongoing focus for ASIC. It will be considered in our surveillance programs, where appropriate, across our regulated population in the future'.
ASIC expects regulated entities to take a proportionate approach to developing cyber resilience, taking into account the applicable legal and compliance requirements, the risks faced by the entity, and the nature, scale and complexity of its business.
All companies, but especially entities operating in regulated industries, should take steps to review their cyber security risks and improve their risk management and cyber resilience as necessary. They should develop appropriate governance frameworks, to ensure that risks are identified and managed.