Company directors and boards have been put on notice by the Australian Securities and Investment Commission (ASIC) over concerns surrounding cyber preparedness. Speaking at the Australian Financial Review Cyber Summit, ASIC chair, Joe Longo, has warned that failure to adequately handle cyber security risks could result in directors being considered in breach of their duties.
Their responsibilities lie in not just ensuring their organisations have sufficient cyber security, but also the ability to recover from attacks. Longo explained that there was a need to not just engineer a bulletproof system, but also build one with the capacity to respond. He highlighted the importance of resilience, which should translate into the ability to respond and withstand the onslaught of significant security incidents.
Longo advised building a thorough and comprehensive plan for tackling significant cyber attacks and a well-thought-out risk management strategy. He also took aim at company directors, reiterating that those who did not act with reasonable care and diligence, creating a foreseeable risk of harm to the business, could be subject to potential enforcement action from ASIC.
ASIC research has shown that there have been incidents of disconnect when it comes to company boards’ oversight of cyber risks, management reporting of risks to the boards, and identification and assessment of risks. Longo is advising companies to address this disconnect to ensure they meet legal obligations.
Cybersecurity Minister, Clare O’Neil, has also reinforced the government’s commitment to combating cybersecurity threats faced by Australian companies. She said that there was a strategy to develop a cohesive planned national response that would shield organisations, businesses, and citizens.
These pronouncements come just a year after the infamous cyber attacks on Optus and Medibank that resulted in the hacking of millions of Australians’ personal data. The companies are now facing class action suits and regulatory investigations which will determine if the ASIC may take legal action.
Despite the legal and financial worries, the attacks did push the government into better facilitating the sharing of information on hacks between companies, with each other and regulators. There have, however, been some concerns over safe-harbour rules provided for in some jurisdictions that prevent disclosures to regulators from being used in later prosecution.
Longo is also cautioning businesses to be thorough in their evaluation of third-party supplier cyber risk. He noted the hacking of Latitude Financial through an outside provider that resulted in 14 million records and 8 million driver’s licence numbers being stolen. Though understanding of the need by some businesses to rely on third parties for software and critical data services, Longo warned that if compromised, they could expose confidential personal and business data.
Contact Accountancy Insurance
We would love to hear from you.
About Accountancy Insurance
Thousands of accounting firms offer our tax audit insurance solution, Audit Shield to their clients. Find out why.