Cybersecurity has been a major focus for ASIC for some time, with the regulator’s attention on cyber risks continuing to intensify as cyber attacks become more frequent and sophisticated. ASIC has been saying for months that it will seek to make an example of company directors and senior executives who fail to adequately prepare for cyberattacks.
This was reiterated earlier this month, with ASIC’s Chairman stating that it “will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses”.
ASIC has previously issued specific guidance to companies on cyber security, stating that boards must have in place proactive measures to prevent, detect, manage and respond to malicious cyber activity. In light of the potential financial, legal and reputational risks to organisations from a cyber breach, the regulator’s view is that cyber resilience must be a key priority for all organisations, including oversight of cyber security risk throughout the organisation’s supply chain.
The release of ASIC’s “cyber pulse survey 2023” on 13 November 2023 makes for sobering reading in this context, with ASIC warning that businesses must close “alarming” gaps in their cybersecurity defences. ASIC’s survey coincided with the release on 14 November 2023 of the Australian Signals Directorate’s (ASD) Annual Cyber Threat Report which showed that cybercrime was up 23% in 2022-2023.
The results of ASIC’s survey need to be seen in the context of its methodology. The voluntary self-assessment survey achieved responses from 697 participants, of which 423 respondents were proprietary limited companies. There were only 83 participants from publicly listed companies, so the overall results do not necessarily convey the full picture about how big business in Australia is managing cyber risks.
Nevertheless, as ASIC concludes, the results of the survey expose deficiencies in cyber security risk management of critical cyber capabilities. ASIC noted that the weighted average participant cyber maturity score of 1.66 (on a scale of 0 to 4) supported its view that organisations are reactive rather than proactive in relation to managing their cyber security.
More specifically, ASIC reported the following key statistics from its survey:
- Third-party risk and supply chain management – 44% of respondents did not manage third-party or supply chain risk, noting in particular that because most Australian companies outsource their IT systems to third party providers this was a common source of attack;
- Protecting confidential information – 58% of respondents had limited or no capability to protect confidential information adequately, including a lack of data encryption policies, data retention policies and information flow mapping capabilities;
- Cyber incident response plan – 33% of respondents did not have a cyber incident response plan, and many of those with incident response plans are not testing them;
- Cyber security standard – 20% of respondents had not yet adopted a cyber security standard.
ASIC’s survey shows a concerning lack of cyber resilience among Australian organisations, particularly if it is assumed that there was some level of sample bias amongst participants; with cyber-literate organisations more likely to participate than others. If that is the case, it would be reasonable to conclude that the actual level of cyber resilience among Australian organisations may be even lower than reported.
Cyber resilience is not only important to avoid regulatory action from ASIC and the OAIC, but it also reduces the risk of a successful cyber-attack and enhances an organisation’s recovery and business continuity prospects following an attack. It can also reduce the consequences which may flow from a cyber attack, including class actions and civil penalty proceedings.
Organisations should start by conducting internal data audits to identify confidential and business critical data, personal information and critical systems which need to be protected. The recent cyber-attack on DP World highlights the importance of protecting not only information, but critical systems as well as impacts on such systems can cause significant business interruptions and loss. Appropriate security controls should be applied to these assets. Ideally, these controls should be aligned with recognised cyber security standards such ISO 27001 or the NIST Cyber Security Framework. To manage third-party risk, an organisation should conduct pre-contractual due diligence on the security posture of prospective suppliers and monitor compliance on an ongoing basis. Best practice would be to require suppliers to provide independent audit reports (such as SOC 2 reports) to demonstrate their ongoing compliance with contractual security obligations.
To mitigate the potential impact of a cyber-attack, organisations should have a cyber incident response plan which identifies key or potentially vulnerable systems and information assets, the procedures to be implemented in the event of a cyberattack and the roles and responsibilities of relevant stakeholders. A common failure of cyber incident response plans is that they only deal with the roles of IT and operational staff and don’t address the broader issues which arise during a cyber-attack, such as regulatory and legal obligations and external communications. These plans should be regularly tested via tabletop exercises and simulations involving key stakeholders to identify potential gaps or deficiencies that could inhibit the response to an actual incident.
For organisations who have previously completed audits or have outdated cyber incident response plans, these should be regularly revised. Due to the ever-evolving threats, this is not a space where boards can set and forget. Similarly, a cyber insurance policy will not automatically cover all cyber risk and shouldn’t make companies feel more complacent about cyber attacks.
Senior executives and directors also need to understand the personal risks which may be associated with a cyber breach. In particular, ASIC regards the general counsel as a corporate ‘gatekeeper’, and may seek to hold them responsible for ensuring the prevention of corporate misconduct as a result of “stepping stone” liability.
Following a number of incidents, companies have been approached by ASIC exploring whether a cyber incident was a breach of their director and officer duties, so it is only a matter of time before ASIC takes action against officers in relation to a cyber breach.