On 13 November 2023, ASIC released Report 776, ‘Spotlight on Cyber: Findings and insights from the Cyber Pulse Survey 2023’. The Report summarises trends and findings from the cyber pulse survey and identifies areas for improvement, highlighting practical examples of better practices for organisations to adopt.
The Report comes as the Commonwealth Government releases its national Cyber Security Strategy for 2023-2030 this week. Amongst other things, the Strategy outlines the Government’s plans to introduce a “playbook” for businesses affected by ransomware attacks, a reporting scheme for cyber attacks and opportunities for small and medium sized businesses to undertake cybersecurity “health checks”. The Strategy seeks to improve cyber security, manage cyber risks and better support citizens and Australian businesses to manage the cyber environment around them. The strategy also shifts cyber from a technical topic to whole-of-nation endeavour, focusing on providing better support to civilians and industry. So while the strategy will support businesses, they need to make their own individual contribution to cyber protection.
In providing guidelines for better cyber practices, the Report distinguishes between all organisations and smaller organisations. In this way, guidance is provided at a general level and at a scaled back level for organisations with fewer resources. The implications of this are that the guidelines for organisations with fewer resources will form a “baseline” standard for all other businesses. Businesses can expect ASIC will take the baseline standard into account when taking regulatory action in the future.
Examples of the ASIC recommendations include:
- conducting third party risk assessments and due diligence
- establishing clear contractual obligations with third parties
- proactively identifying critical business services and dependencies and mapping information flows
- establishing encryption practices for high-risk confidential information and enhancing email security.
Usefully, the Report also lists various practical examples of “red flags” for companies. This Report is not one for just a technology literate audience, but for an organisation’s entire leadership team to read and consider. The Report is only 31 pages and is worth reading by both senior leadership teams and boards. It sets out ASIC’s clear expectations around minimum standards and provides practical guidance as to how organisations can meet those standards. The examples in the Report could be used to undertake an overview of an organisation’s current cyber risk position.
This Report continues to build on ASIC’s regulatory expansion into cyber as a risk that companies need to proactively manage.
In 2020, ASIC initiated action against financial services licence holder, RI Advice, for failing to implement adequate cyber security protections. A Federal Court ruling in 2022 confirmed the company had breached its licence conditions by failing to meet its cyber security obligations. At that time, commentators predicted this was only the beginning of ASIC’s foray into cyber security regulation.
This Report throws down the gauntlet, making it very clear what ASIC’s minimum standards are. Organisations that fail to respond to known red flags and fail to take steps which ASIC recommends for large and small organisations can expect regulatory action in the event of a cyber security breach.
Potential customer claims
Importantly, this Report comes hot on the heels of the Optus outage on 8 November and the statement made by Optus to the Senate Estimates Committee in relation to the breach and potential compensation. That risk of customers seeking compensation where a sustained interruption to a service that is critical to them, is now fairly and squarely one that all organisations need to consider.