Directors on the hook for cyber security, ASIC warns
Repelling attacks is just the start – businesses must demonstrate an ability to respond or the board will be held accountable, the regulator says.
.
Directors are duty-bound to ensure their company has “adequate” cyber security and the ability to recover from an attack or they could face action by ASIC, the chair of the regulator says.
Joe Longo said cyber readiness meant more than trying to engineer a bulletproof system but extended to building an ability to respond.
“Cyber preparedness is not simply a question of having impregnable systems. That’s not possible,” he said. “Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”
“This can only be built on thorough and comprehensive planning for significant cyber security incidents, and a clearly thought-out risk management strategy.”
Recovery plans on their own were also insufficient without regular testing and never-ending risk reassessment, including within supply chains.
Speaking at the Australian Financial Review Cyber Summit yesterday, Mr Longo said last year’s attacks against Optus and Medibank were a wake-up call but surveys showed most businesses lacked confidence in their organisation’s ability to remain resilient in a “worst-case” cyber event.
One important lesson was that relying on third-party providers always involved risk.
“None of us has control over the security of a third-party provider,” he said. “If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised.”
He said the Latitude Financial breach earlier this year originated from an outside provider and because Latitude was itself a service provider, millions more than its own customers were affected.
Initial findings from an ASIC survey still in progress revealed “that one of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers”.
Supply chain risks were a related issue, with almost one in two respondents saying they did not manage third-party or supply chain risk.
Mr Longo said ASIC had uncovered disconnects in the way various parts of a business handled the digital risks between:
- Boards’ oversight of cyber risk.
- Management reporting of cyber risk to boards.
- Management identification and remediation of cyber risk.
- Cyber risk assessments.
- How cyber risk controls are implemented.
“This disconnect must be addressed,” he said. “Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience.”
“Failing to do so could mean failing to meet your regulatory obligations.”
“Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.”
“For all boards, cyber security and cyber resilience have got to be top priorities. “If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”
He said boards and directors also had to consider how they would communicate with customers, regulators, and the market when things went wrong.
“Do they have a clear and comprehensive response and recovery plan? Has it been tested?
“How will the company detect if the system has been broken, or exploited? History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility.”
He said two points needed to be emphasised: there was a need to act now, and third-party suppliers were a “clear vulnerability”.
“If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it.”
“Don’t put yourself in that position.”
Philip King
19 September 2023
accountantsdaily.com.au
Hot Issues
- 2024 Year End Tax Planning Guide (Part 1)
- Medicare levy surcharge OR basic health insurance ?
- ATO warns of ‘serious penalties’ for unlawful tax scheme promoters
- ACCC scam report
- Employees taking more sick days - and it's getting worse
- Foreign residents selling property in Australia
- How much does negative gearing really cost – an overview and an opinion?
- The Shortest-reigning Monarchs in History
- FBT Reminder – Odometer Reading
- ATO’s debts on hold campaign prompts new IGTO guidance
- A comprehensive collection of small business benchmarks
- The 2025 Financial Year tax & super changes you need to know!
- Underperforming employees: When can you terminate?
- A comprehensive list of guides to industry specific tax deductions.
- ‘Renewed concerns’ about economy sees consumer sentiment dip: Westpac
- Oldest Buildings in the World.
- Small businesses may ‘collapse under strain of payday super’, IPA warns
- ATO’s hands tied with scrapping on-hold debts, expert says
- What Drives Your Business Growth and Profits?
- Australian Taxation Office (ATO) shifting to firmer debt collection activity
- Why employee v contractor comes down to fine print
- Sharing economy reporting regime for platform operators
- Countries producing the most solar power by gigawatt hours
- Illegal access nets $637 million
- Accessing superannuation benefits.
- Does your business have a company Power of Attorney?
- Labor tweaks stage 3 tax cuts to make room for ‘middle Australia’
- GrantConnect
- 2 in 3 SMEs benefit from instant asset write-off, survey reveals
- Updated guidance on R&D claims
- Do you know how to recover debts?
- Vimeo test
Article archive
- January - March 2024
- October - December 2023
- July - September 2023
- April - June 2023
- January - March 2023
- October - December 2022
- July - September 2022
- April - June 2022
- January - March 2022
- October - December 2021
- July - September 2021
- April - June 2021
- January - March 2021
- October - December 2020
- July - September 2020
- April - June 2020
- January - March 2020
- October - December 2019
- July - September 2019
- April - June 2019
- January - March 2019
- October - December 2018
- July - September 2018
- April - June 2018
- January - March 2018
- October - December 2017
- July - September 2017
- April - June 2017
- January - March 2017
- October - December 2016
- July - September 2016
- April - June 2016
- January - March 2016
- October - December 2015
- July - September 2015
- April - June 2015
- January - March 2015
- October - December 2014
October - December 2023 archive
- Record low invoice values ‘reveal inflation sting’
- A 2023 Advent Calendar for our clients
- Average refund plummets by $580, total payout down $5.4bn
- FBT – Christmas Parties and Taxi Fare/Rideshare
- Annual wage growth surges to 14-year high of 4%
- Is My Organisation Exempt From the Spam Act?
- Employee Christmas Parties and Gifts – Any FBT?
- Most Expensive Wars In History
- Australian Taxation Office (ATO) motor vehicle data matching program extended
- Directors on the hook for cyber security, ASIC warns
- I am making a profit but where does all the cash go?
- Using the cents per kilometre method for claiming car expenses
- Scams by numbers - 2022–23 scam data is now available
- Completing the Sale of a Business
- Business owners are seeking exits without a plan, survey finds
- Most powerful countries throughout time.
- Super tax concession changes: consultation
- ATO interest charges soar to highest level since GFC
- TOP 5 CHALLENGES FOR FAMILY BUSINESSES
- ATO linking system takes giant stride into business
- Cyber threats facing small to medium-sized businesses (SMBs)
- Most powerful LEADERS of All Time
- How Do I Respond to an Allegation of Trade Mark Infringement?
- $20k instant asset write-off to get 1-year extension