Logo

Directors on the hook for cyber security, ASIC warns

Repelling attacks is just the start – businesses must demonstrate an ability to respond or the board will be held accountable, the regulator says.

.

Directors are duty-bound to ensure their company has “adequate” cyber security and the ability to recover from an attack or they could face action by ASIC, the chair of the regulator says.

Joe Longo said cyber readiness meant more than trying to engineer a bulletproof system but extended to building an ability to respond.

 

“Cyber preparedness is not simply a question of having impregnable systems. That’s not possible,” he said. “Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”

 

“This can only be built on thorough and comprehensive planning for significant cyber security incidents, and a clearly thought-out risk management strategy.”

 

Recovery plans on their own were also insufficient without regular testing and never-ending risk reassessment, including within supply chains.

Speaking at the Australian Financial Review Cyber Summit yesterday, Mr Longo said last year’s attacks against Optus and Medibank were a wake-up call but surveys showed most businesses lacked confidence in their organisation’s ability to remain resilient in a “worst-case” cyber event.

One important lesson was that relying on third-party providers always involved risk.

“None of us has control over the security of a third-party provider,” he said. “If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised.”

He said the Latitude Financial breach earlier this year originated from an outside provider and because Latitude was itself a service provider, millions more than its own customers were affected.

Initial findings from an ASIC survey still in progress revealed “that one of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers”.

Supply chain risks were a related issue, with almost one in two respondents saying they did not manage third-party or supply chain risk.

Mr Longo said ASIC had uncovered disconnects in the way various parts of a business handled the digital risks between:

  • Boards’ oversight of cyber risk.
  • Management reporting of cyber risk to boards.
  • Management identification and remediation of cyber risk.
  • Cyber risk assessments.
  • How cyber risk controls are implemented.

“This disconnect must be addressed,” he said. “Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience.”
“Failing to do so could mean failing to meet your regulatory obligations.”

“Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.”

“For all boards, cyber security and cyber resilience have got to be top priorities. “If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”

He said boards and directors also had to consider how they would communicate with customers, regulators, and the market when things went wrong.

“Do they have a clear and comprehensive response and recovery plan? Has it been tested?

“How will the company detect if the system has been broken, or exploited? History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility.”

He said two points needed to be emphasised: there was a need to act now, and third-party suppliers were a “clear vulnerability”.

“If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it.”

“Don’t put yourself in that position.”

 

 

 

Philip King
19 September 2023
accountantsdaily.com.au

 

Hot Issues

Disclaimer

The contents hereinafter presented and made accessible on this website are exclusively provided by Advanced Partners, representing general informational materials. The purpose of these materials is solely to serve as guidance and in no case should they be interpreted as counsel or advice on any specific matter.

In using the information provided, you are encouraged to assess its relevance to your individual goals, financial circumstances, and needs. In the event of detailed descriptions of any products being available on this website, you are advised to procure the Product Disclosure Statement (PDS) corresponding to said products, and to deliberate on its contents prior to any decision-making.

Advanced Partners extends no assurances or warranties pertaining to uninterrupted, delay-free, error-free, or omission-free operation of the Site, nor its immunity from viruses. Thus, the information is furnished “as is”, bereft of warranties of any kind, express or implied, inclusive of those concerning accuracy, promptness, and completeness.

Advanced Partners and its respective affiliates (be they direct or indirect) renounce all guarantees, obligations, and warranties, be they express or implied, and shall not bear liability for any loss or damage whatsoever (including those resulting from human or computer errors, whether negligent or otherwise, or incidental or consequential losses or damages) that arise from or are connected with any utilization of or reliance on the information or advice on this site. The user must undertake sole responsibility related to the use of the material on this site, regardless of the purpose or the outcomes of such usage. The information available on this website should not be considered a replacement for professional tax advice or consultation.

Our liability is limited by a scheme approved under Professional Standards Legislation.

Privacy Policy

Welcome to Advanced Partners (“we,” “our,” or “us”). This Privacy Policy outlines how we collect, use, disclose, and protect the personal information of our users and customers in Australia. We are committed to safeguarding your privacy and ensuring the security of the information you provide to us. By accessing or using our website, you agree to the practices described in this Privacy Policy.

Information We Collect

We may collect the following types of personal information:

1.1. Personal Identifiers: Name, email address, postal address, phone number, date of birth, and other contact details.

1.2. Account Information: Usernames, passwords, and other credentials used to access our website and services.

1.3. Payment Information: Credit card details or other payment information when making purchases on our website.

1.4. Usage Information: Data about how you interact with our website, such as IP address, browser type, pages viewed, and referring URL.

1.5. Communications: Records of your interactions with us, such as customer support inquiries, feedback, or chat logs.

1.6. Cookies and Similar Technologies: We may use cookies and similar technologies to collect information about your browsing activities on our website.

How We Use Your Information

We use your personal information for the following purposes:

2.1. Service Delivery: To provide you with access to our website and deliver the services you request.

2.2. Communication: To send you important updates, newsletters, and promotional materials (if you’ve opted in) related to our website and services.

2.3. Personalization: To tailor our website content and offerings to your preferences and interests.

2.4. Payment Processing: To process payments for products and services you purchase from us.

2.5. Legal Compliance: To comply with applicable laws, regulations, and legal processes.

How We Share Your Information

We may share your personal information with third parties in the following circumstances:

3.1. Service Providers: We may engage trusted service providers to assist us in operating our website and providing services to you, and they may have access to your personal information for that purpose.

3.2. Legal Obligations: We may disclose your information to comply with legal obligations, enforce our Terms of Service, or protect our rights, privacy, safety, or property.

3.3. Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity.

3.4. Consent: We may share your information with your consent or as otherwise disclosed at the time of collection.

Your Privacy Rights

4.1. Access and Correction: You have the right to access and correct your personal information held by us.

4.2. Marketing Preferences: You can opt-out of receiving marketing communications from us at any time.

4.3. Cookies: You can manage your cookie preferences through your browser settings.

Security

We take reasonable measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet or electronic storage is entirely secure, and we cannot guarantee absolute security.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The most recent version will be posted on our website with the updated effective date.

Contact Us

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us.

By using our website, you agree to the terms outlined in this Privacy Policy. If you do not agree with any part of this policy, please refrain from using our website.

Disclaimer

The contents hereinafter presented and made accessible on this website are exclusively provided by Advanced Partners, representing general informational materials. The purpose of these materials is solely to serve as guidance and in no case should they be interpreted as counsel or advice on any specific matter.

In using the information provided, you are encouraged to assess its relevance to your individual goals, financial circumstances, and needs. In the event of detailed descriptions of any products being available on this website, you are advised to procure the Product Disclosure Statement (PDS) corresponding to said products, and to deliberate on its contents prior to any decision-making.

Advanced Partners extends no assurances or warranties pertaining to uninterrupted, delay-free, error-free, or omission-free operation of the Site, nor its immunity from viruses. Thus, the information is furnished “as is”, bereft of warranties of any kind, express or implied, inclusive of those concerning accuracy, promptness, and completeness.

Advanced Partners and its respective affiliates (be they direct or indirect) renounce all guarantees, obligations, and warranties, be they express or implied, and shall not bear liability for any loss or damage whatsoever (including those resulting from human or computer errors, whether negligent or otherwise, or incidental or consequential losses or damages) that arise from or are connected with any utilization of or reliance on the information or advice on this site. The user must undertake sole responsibility related to the use of the material on this site, regardless of the purpose or the outcomes of such usage. The information available on this website should not be considered a replacement for professional tax advice or consultation.

Our liability is limited by a scheme approved under Professional Standards Legislation.