In his address to the AFR Cyber Summit, ASIC Chair Joe Longo urged boards prioritise addressing cyber weaknesses, including third party vulnerabilities, flagging that failure to give cyber security and cyber resilience sufficient priority 'creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence'.
- ASIC has urged organisations to focus their efforts not only on the security of their systems/processes, but on planning their response to a cyber incident.
- Over-reliance on the security measures third party providers have in place is an area particular concern and an issue ASIC urges organisations to prioritise addressing. ASIC Chair Joe Longo identified three key ways organisations can reduce their third party risk (summarised in the article below).
- ASIC considers that ensuring 'good cyber risk management' is in place, forms part of directors' duty to act with care and diligence. Mr Longo cautioned that boards that fail to prioritise cyber are exposing themselves to the (potential) risk of enforcement action by ASIC.
In his Australian Securities and Investments Commission (ASIC) Chair Joe Longo's 18 September 2023 address to the AFR Cyber summit, was the importance of cyber-preparedness and ASIC's expectations in this context.
Our key takeaways are below.
'Every system is vulnerable, and we must plan for that'
In light of the accelerating risk and the potentially serious consequences of a cyber incident, Mr Longo underlined ASIC's expectation that businesses focus not only on designing systems to be as secure as possible – noting that no system can ever be assumed to be completely secure – but also on planning their response to a breach. Mr Longo said:
'Today, too, however much we may marvel at technological developments, the reality is that the building blocks of that technology are not exclusive. The challenge is to anticipate risks. Systems should be designed with a "threat thinking" approach, in a way that considers how they might be broken or exploited…The lesson is simple: cyber preparedness is not simply a question of having impregnable systems. That’s not possible. Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident….This can only be built on thorough and comprehensive planning for significant cyber security incidents, and a clearly thought-out risk management strategy'.
'Reliance on third party providers is always a risk'
Further to this, Mr Longo identified the level of reliance placed on the security measures third party providers have in place as an area of particular vulnerability/concern for the regulator – and an issue that ASIC would like to see organisations prioritise.
This is based on the initial findings of ASIC's yet to be released, Cyber Pulse Survey (a voluntary self assessment exercise designed to measure the cyber resilience of regulated entities). The survey identified that:
- 44% of respondents reported that they did not manage third party or supply chain risk
- over 50% reported they had limited or no capability to protect confidential information adequately ('whether that information is held within the organisation or by third-party suppliers').
Mr Longo commented:
'If we rely solely on the security measures those providers [ie third party providers] have in place, we leave a wide opening for a data breach if those measures are compromised…This should be a cause for concern for any organisation. In the face of what may be a vast array of considerations about how to shore up an organisation against cyber-attack, these numbers provide a clear path for where to begin. Look to your third-party suppliers, vendors, and managed service providers, and evaluate your third-party supplier cyber risk'.
A board responsibility
Mr Longo emphasised the key role ASIC considers boards have to play in this context, underlining that ASIC considers ensuring 'good cyber risk management' is in place, forms part of directors' duty to act with care and diligence.
Mr Longo said:
'Good cyber risk management must start at the top. It’s only by starting there, with good governance and a comprehensive risk assessment, that we can successfully set the right tone… Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could mean failing to meet your regulatory obligations'.
Mr Longo also cautioned that boards that fail to prioritise cyber are exposing themselves to the (potential) risk of enforcement action by ASIC:
'For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence'.
Broad improvement areas
Mr Longo identified a number of areas where ASIC considers improvement is needed observing that:
'In ASIC’s work in this space, we’ve found there’s often a disconnect between several important elements, including:
- Boards’ oversight of cyber risk,
- Management reporting of cyber risk to boards,
- Management identification and remediation of cyber risk,
- Cyber risk assessments, and
- How cyber risk controls are implemented'.
Longo also underlined the need for continuing engagement by boards on the issue, and the need for board oversight to extend across organisation's digital supply chain.
'Measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification. ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain'.
Three ways to reduce third-party risk
Mr Longo identified the following as three key ways organisations can reduce their third party risk.
- 'Never set and forget': Mr Longo emphasised ASIC's expectation that there is continuing focus and engagement on the issue observing that:
'It’s not enough to sign a contract with a third-party supplier – you need to take an active approach to managing supply chain and vendor risk. Setting it and forgetting it, does not, cannot, and will not work.
- 'Plan for and test for attacks': Building on this, Mr Longo said that it is not sufficient to have an incident response and recovery plan in place. Mr Longo said that ASIC expects: a) that the plan 'must include third party suppliers and vendors' and b) that the plan is 'tested regularly'.
- 'You can’t protect what you aren’t aware of': Finally, noting that a number of respondents to the Cyber Pulse survey reported that they don't identify critical information and business critical systems, Mr Longo urged organisations to make sure they do identify it noting that if 'information isn’t identified before an attack, it can’t be protected'.
Businesses should act now
Mr Longo concluded by urging organisations (and boards) to act with urgency – especially on addressing third party vulnerabilities. Mr Longo said:
'I will finish by reiterating two points: first, all the evidence points to third-party suppliers as a clear vulnerability in many organisations’ cyber preparedness; second, you can only protect yourself from that vulnerability if you act now…If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it. Don’t put yourself in that position'.