ASIC is the most recent regulator to voice concerns about corporate cyber security and protection of customer data and has confirmed it will investigate cyber incidents leading to a loss of customer data from a corporate governance perspective. That is, have directors and officers complied with their duties to the company?

In an address to the Australian Financial Review Cyber Summit this week, ASIC Chair, Joe Longo, emphasised the need for boards to prioritise cyber security and cyber resilience, and that ASIC is looking for an appropriate vehicle to prosecute individuals for failing to take appropriate steps to ensure companies have appropriate cyber arrangements in place.

ASIC’s prioritisation of cyber risk comes hot on the heels of APRA signalling last month its intention to strengthen supervision and step up its enforcement of operational and cyber risk management practices and preparedness by APRA-regulated banks, insurers and superannuation trustees (read our article APRA enforcement of operational resilience & cyber preparedness). 

In short, even leaving to one side the business and reputational issues associated with cyber incidents, which can be profound, the focus of regulators such as the Office of the Australian Information Commissioner, APRA and ASIC, as well as class action lawyers and funders, represents clear existential risk to most businesses and those running them. It is imperative for all businesses – particularly those holding potentially sensitive personal information – to ensure they have a clear handle on cyber risk.  

Evaluate your third-party risk for cyber preparedness

Cyber preparedness is not simply a question of having impregnable systems – that’s not possible.  Organisations must also have comprehensive plans in place to respond to and weather a significant cyber security incident. 

Joe Longo placed some particular emphasis on third-party suppliers as a potential vulnerability, with ASIC expecting that an organisation’s digital supply chain also be considered in its cyber risk management plan. 

As more and more businesses rely on third parties for software and critical data services, the risks of exposure are increasing. The initial findings of ASIC’s cyber pulse survey, which measured cyber resilience in Australia, show that one of the weakest links in cyber preparedness is third-party suppliers, vendors and managed service providers. 

This should guide companies on how to firm up their cyber security: look at who your third-party suppliers are and carefully evaluate your third-party supplier risk. 

Good cyber risk management must start at the top, with ASIC stating that it expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, that controls are implemented to protect key assets and enhance cyber resilience and that a failure to do so could have significant personal consequences. Boards who do not give cyber security and resilience sufficient priority could create a foreseeable risk of harm to the company and be a breach of their directors duties.

Ways to reduce third-party cyber risk

Cyber security should involve comprehensive risk assessment and planning, with the measures taken being proportionate to the nature, scale, and complexity of your organisation – and the importance and sensitivity of the key assets held. 

Joe Longo’s three suggestions for protecting your organisation against vulnerability are:

1. Never set and forget: Cyber risk should be assessed on an ongoing basis, with organisations taking an active approach to managing supply chain and vendor risk.
2. Plan for and test for attacks: Organisations should ensure they have a clear and comprehensive response and recovery plan, which includes how they communicate with their customers, regulators and the market when things go wrong.  Plans should also be tested regularly to ensure the response is quick and effective.  Any incident response should include third-party suppliers and vendors.
3. You can’t protect what you aren’t aware of: Critical information and business critical systems must be identified, to ensure they are protected.  This is even more essential if a third party is managing critical systems or holding important information. 

Australia's response to escalating cyber threats

With technology constantly changing, cyber security is becoming more and more important to ensure business continuity.  Regulators including ASIC and APRA (as mentioned in our previous article, 'APRA enforcement of operational resilience & cyber preparedness') are alive to the risks cyber-attacks pose to the Australian corporate and consumer landscape and are signalling to businesses that they’re ready to act. This is consistent with the intensifying government focus on cyber threats and incidents more broadly, including the development of the 2023-2030 Australian Cyber Security Strategy, the recent appointment of a National Cyber Coordinator and the establishment of law enforcement taskforces to combat rising cyber threats targeting Australian companies and consumers.