The Australian Securities and Investments Commission (ASIC) declared cyber security a top priority of theirs in 2022, advising they will be cracking down on companies, CEOs and Boards of Directors regarding cyber security compliance and preparedness.
In addition to brand and reputational damage, companies face potential fines and prosecution for non-compliance. The main legal avenue placing directors and officers at risk from cyber incidents is Section 180 of the Corporations Act 2001, which requires directors to exercise care and skill to defend the business from key risks.
The seriousness of ASIC’s intentions was evident in the recent court ruling in the case of RI Advice, where ASIC commenced legal proceedings for cyber security non-compliance and won. The Federal Court of Australia required RI Advice to pay $750,000 in fines towards ASIC’s legal costs, not to mention the damage the recent cyber breach and court case has had on their brand reputation and profits. ASIC claimed RI Advice breached its corporate governance obligations, including failing to manage cyber security risks adequately.
Organisations should heed the lessons from this case and ensure that they have robust systems and controls in place to manage cyber security risks. Only by doing so can they minimise the risk of breaching ASIC regulations, incurring significant fines and facing possible prosecution.
So, why is ASIC coming down so hard on Cyber Security?
Cyber resilience is an organisation’s capacity to prepare for, respond to and recover from cyber security events. Cyber resilience is vital to all organisations operating in the digital economy, especially for those within sectors like the financial services sector, where the trust between an organisation and its clients is essential to its future.
ASIC’s December 2021 resilience report stated that organisations within Australia had fallen well short of the 14.9% cyber resilience improvement target with only a slight improvement of 1.4%. In addition, the Australian Cyber Security Centre (ACSC) identified that cybercrime reports across Australia had increased by 13% (ACSC, 2021).
Successful cyber-attacks have an enormous negative impact on businesses, individuals and the economy. Many businesses have over-indexed on their IT security but have not adequately addressed the threats from the other two risk pillars – processes and people. Many Boards, CEOs and businesses still view cyber security as an IT or technology issue not fully appreciating or understanding the broader risk landscape.
ASIC states that managing cyber security risks fall within the realm of general directors’ duties. Companies must warrant that they have taken all reasonable steps to ensure that the people, processes and technologies they employ to protect the security of their information are fit for purpose.
The Australian Cyber Security Centre (ACSC) states, “It is critical that Australian organisations are alert to cyber threats and take steps to adopt an enhanced cyber security posture and increase monitoring for threats. These actions will help reduce the impacts to Australian organisations of cyber-attacks.”
What does this mean for CEOs and Board Directors?
The answer is straightforward: CEOs and Board Directors must prioritise cyber security at the highest level to ensure regulatory compliance and the fulfilment of their fiduciary responsibilities. To avoid claims and breaches of the Act, directors need to ensure their companies have implemented and tested appropriate controls, mechanisms and systems to prevent and respond to cyber incidents.
This means that CEOs and Board Directors need to be proactive in ensuring that their company has appropriate measures to protect it from cyber threats. This includes developing and implementing policies and procedures around data security, continually educating employees on best practices, and having an incident response plan in place in the event of a breach.
What steps can CEOs and Board Directors take to ensure they meet ASIC Cyber Security expectations?
There are a number of steps that Boards and Directors can take to ensure compliance with ASIC cyber security expectations and protect their organisations. Firstly, they should ensure that they have a clear understanding of the requirements. Secondly, they should put in place appropriate systems and controls to mitigate the risks associated with cyber security. Finally, they should regularly review their cyber security arrangements to ensure they are effective.
For some organisations, the cost to internally hire experienced and certified cyber security specialists and obtain the appropriate tools and training to review and comply with data protection laws is too cost-prohibitive. Organisations who engage with external dedicated cyber security providers (not IT providers) will realise significant returns on their investment, with broader team knowledge and experience.
Whether tackled internally or externally, organisations can minimise the risks associated with cyber security and ensure regulatory compliance by working collaboratively towards enhancing the company’s cyber security maturity via a recognised cyber security framework.
Conclusion
Directors can no longer take their cyber security responsibilities lightly. Without appropriate cyber security controls and mechanisms firmly in place, the likelihood of a cyber incident is almost inevitable, resulting in long-term damage to their business (and bottom line), thereby exposing them personally to legal liability.
There is no silver bullet; however, with the right systems and controls in place, organisations can minimise the risks associated with cyber security. By viewing cyber security as a whole of business risk and not an IT or technology issue, businesses can exceed relevant regulatory compliance whilst protecting their brand, reputation and trust with their customers.
Concerned you may be exposed? Let’s chat
As a dedicated Australian cyber security company, our customers tell us that they see Cyber Audit Team and a genuine partner, and an extension of their internal team. We adopt a pragmatic approach, whilst demystifying cyber security, ensuring we clearly articulate governance, risk and compliance issues, with actionable solutions.
Contact us today and let’s identify together a way to support and complement your company’s cyber security maturity journey.
