The Australian Securities and Investments Commission (ASIC) has warned that it is prepared to take action against boards and directors who are not sufficiently prepared for cyber attacks.
In an address to the Australian Financial Review Cyber Summit on Monday, ASIC chair Joe Longo said that organisations must take an “active approach” to evaluating and managing cyber risk, particularly in relation to their reliance on third parties.
“For all boards, cyber security and cyber resilience have got to be top priorities,” he said.
“If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”
Citing research by Cybersecurity Ventures, Mr Longo noted that cyber crime damage costs are set to rise by 15 per cent each year in the next three years, hitting US$10.5 trillion by 2025.
Additionally, the ASIC chair highlighted a report by Cisco which found that 62 per cent of businesses had suffered some kind of incident that affected their security resilience.
“Major cyber attacks against Optus and Medibank last year were also a ‘wake-up call’ for many Australian companies. The financial, legal, and reputational consequences of such attacks can be devastating for an organisation,” said Mr Longo.
“It’s unsurprising then, but nonetheless unsettling, that the same report found that 63 per cent of respondents lacked confidence in their organisation’s ability to remain resilient in the instance of a ‘worst-case’ cyber event.”
To address their cyber preparedness, ASIC has called on Australian organisations to evaluate their third-party supplier cyber risk.
“None of us has control over the security of a third-party provider. If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised,” Mr Longo continued.
As an example, Mr Longo pointed to the breach suffered by Latitude Financial earlier this year which originated from an outside provider. Almost 8 million drivers’ licence numbers and 14 million records were stolen in the attack.
Perpetual also experienced an IT security incident in its third-party managed unit registry system in June this year which affected approximately 45,000 of its clients.
Adding to these recent local events is the MOVEit attack, which started in June and exploits a vulnerability in the widely used MOVEit file transfer software. Approximately 600 small and large organisations have been caught up in the attack globally.
“All three examples are clear cases of the growing software supply chain security risks that companies face,” Mr Longo stated.
“Understandably, an increasing number of businesses rely on third parties for software and critical data services. If those third parties are compromised, the confidentiality of personal and business data is put at risk. This is a serious weakness.”
Previewing the results of ASIC’s cyber pulse survey, which aimed to measure cyber resilience in Australia’s corporate and financial markets, Mr Longo reported that 44 per cent of respondents did not manage third-party or supply chain risk.
Furthermore, more than half of respondents indicated that they had little to no capability to protect confidential information adequately. According to the ASIC chair, these finds should be a cause for concern for Australian organisations.
“As I observed earlier this year at the AICD Australian Governance Summit, uplifting cyber resilience requires close collaboration between industry, government, and regulators to protect consumers and financial services infrastructure,” he said.
“Good cyber risk management must start at the top. It’s only by starting there, with good governance and a comprehensive risk assessment, that we can successfully set the right tone.”
APRA has also sought to strengthen the management of operational risk across Australia’s super trustees, banks, and insurers through the introduction of a new prudential standard.
