Directors on the hook for cyber security, ASIC warns

Repelling attacks is just the start – businesses must demonstrate an ability to respond or the board will be held accountable, the regulator says.

.

Directors are duty-bound to ensure their company has “adequate” cyber security and the ability to recover from an attack or they could face action by ASIC, the chair of the regulator says.

Joe Longo said cyber readiness meant more than trying to engineer a bulletproof system but extended to building an ability to respond.

 

“Cyber preparedness is not simply a question of having impregnable systems. That’s not possible,” he said. “Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”

 

“This can only be built on thorough and comprehensive planning for significant cyber security incidents, and a clearly thought-out risk management strategy.”

 

Recovery plans on their own were also insufficient without regular testing and never-ending risk reassessment, including within supply chains.

Speaking at the Australian Financial Review Cyber Summit yesterday, Mr Longo said last year’s attacks against Optus and Medibank were a wake-up call but surveys showed most businesses lacked confidence in their organisation’s ability to remain resilient in a “worst-case” cyber event.

One important lesson was that relying on third-party providers always involved risk.

“None of us has control over the security of a third-party provider,” he said. “If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised.”

He said the Latitude Financial breach earlier this year originated from an outside provider and because Latitude was itself a service provider, millions more than its own customers were affected.

Initial findings from an ASIC survey still in progress revealed “that one of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers”.

Supply chain risks were a related issue, with almost one in two respondents saying they did not manage third-party or supply chain risk.

Mr Longo said ASIC had uncovered disconnects in the way various parts of a business handled the digital risks between:

  • Boards’ oversight of cyber risk.
  • Management reporting of cyber risk to boards.
  • Management identification and remediation of cyber risk.
  • Cyber risk assessments.
  • How cyber risk controls are implemented.

“This disconnect must be addressed,” he said. “Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience.”
“Failing to do so could mean failing to meet your regulatory obligations.”

“Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.”

“For all boards, cyber security and cyber resilience have got to be top priorities. “If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”

He said boards and directors also had to consider how they would communicate with customers, regulators, and the market when things went wrong.

“Do they have a clear and comprehensive response and recovery plan? Has it been tested?

“How will the company detect if the system has been broken, or exploited? History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility.”

He said two points needed to be emphasised: there was a need to act now, and third-party suppliers were a “clear vulnerability”.

“If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it.”

“Don’t put yourself in that position.”

 

 

 

Philip King
19 September 2023
accountantsdaily.com.au

 

Share this article:

Latest News
360 : $21.24
AAI : $70.99
AFI : $7.48
AGL : $10.97
AIA : $6.83
ALD : $28.97
ALL : $66.68
ALQ : $16.22
ALX : $4.77
AMC : $16.08
ANN : $32.45
ANZ : $32.37
ARG : $9.00
ASX : $67.98
AZJ : $3.42
BEN : $13.59
BHP : $40.09
BKW : $26.17
BOQ : $6.90
BRG : $32.75
BSL : $21.27
BXB : $19.18
CAR : $41.31
CBA : $158.64
CGF : $6.07
COH : $298.24
COL : $18.11
CPU : $31.58
CSL : $277.02
CWY : $2.87  
EBO : $33.71
EDV : $4.30
EVN : $5.07
FMG : $18.34
FPH : $34.50
GQG : $2.25
HMC : $12.07
HUB : $74.46
HVN : $4.71
IAG : $8.26
IFT : $11.30
IPL : $3.18
JBH : $90.39
JHX : $54.98
LYC : $6.84  
MEZ : $5.29
MIN : $33.89
MPL : $3.73  
MQG : $232.00
NAB : $39.92
NEM : $66.83
NHC : $4.89
NST : $17.83
NWL : $29.91
NXT : $15.94
ORG : $11.03
ORI : $17.99
PLS : $2.68
PME : $223.05
PMV : $34.00
PNI : $23.06
QAN : $8.99
QBE : $19.70
QUB : $3.92
REA : $247.66
REH : $24.23
RHC : $38.61
RIO : $117.78
RMD : $37.21
RWC : $5.38
S32 : $3.85
SDF : $5.80
SEK : $26.97
SFR : $10.21
SGH : $48.12
SHL : $28.07
SIG : $2.56
SOL : $34.26
SPK : $2.75
SQ2 : $143.06
STO : $6.94
SUN : $19.66
TLC : $5.14
TLS : $3.87
TLX : $22.79
TNE : $30.40
TPG : $4.40
TWE : $11.31
VEA : $2.63
VNT : $4.62
WBC : $33.83
WDS : $25.13
WES : $71.15
WHC : $6.95
WOR : $14.20
WOW : $29.87  
WTC : $126.64
XRO : $173.92
YAL : $6.58
ZIP : $3.24
Mark Lisle

Mark Lisle

Mark is our managing partner and has been with the firm for over 36 years. He brings a wealth of experience in all areas of our business, including business advisory, taxation and self managed superannuation.

Mark’s ethos is that good advice stems from working closely with our clients and being prepared to go that extra step to assist them in meeting their goals and optimising their financial position.

Mark is a Fellow of Chartered Accountants Australia and New Zealand, an accredited SMSF Specialist and a registered SMSF auditor.

Outside of work, Mark enjoys trying to keep fit and spending time down at his “second home” in Port Fairy.

Josh Laing

Josh Laing

Joshua began working at Rundles in 1999 whilst still completing his Bachelor of Business (Accountancy) degree at RMIT. After graduating in 2001 he was admitted to the Institute of Chartered Accountants Australia and New Zealand in 2004. Joshua spent two years working in London before returning to Rundles in 2006.

Josh has a wealth of knowledge across a broad range of industries as well as in Self Managed Superannuation. Josh enjoys working with family groups and businesses to ensure they’re structured correctly to maximise asset protection, succession planning and management of tax.

Married with 2 children, Josh spends his weekends with his family and following the Tigers.

Brad Roach

Brad Roach

Brad has been a part of the Rundles Team since 1996 and became a Partner of the firm in 2014. During his time at Rundles, Brad has developed a strong relationship with his clients across a wide range of industries and is dedicated to assisting them to reach their personal and business goals.

Brad is passionate about seeing his clients succeed and utilises his extensive experience in public practice to provide a holistic service to his clients. He also has a wealth of experience in superannuation, particularly self managed superannuation funds.

In his spare time, Brad likes to play a round of golf with friends and enjoys watching his two sons play various sports.

Peter Davison

Peter Davison

Peter graduated from RMIT with a Bachelor of Business (Accountancy) with distinction in 1976. He joined Rundles upon graduating. Peter has been a member of the Institute of Chartered Accountants since 1979 and a Fellow since 1991. As an active yachtie of many years, Peter can often be found on the water. Otherwise, he and his wife spend time with their friends and extended family.

Sandy Gilbert

Sandy Gilbert

Sandy was admitted to the Institute of Chartered Accountants in 1973 and has been a Fellow since 1983. He gained extensive experience in auditing and accounting services over seven years at Pannell Kerr Forster before joining Rundles in 1973. Sandy is married with three children. A former amateur footballer of some note, Sandy is still an avid follower of the game and enjoys weekends at his country retreat.