Australian Securities & Investments Commission (ASIC) executive director for markets Greg Yanco has urged listed entities to boost cyber-resilience measures.
Pointing to a report the agency published late last year, Yanco said local firms had only improved their cyber resilience by 1.4% — more than 13 percentage points short of the target for that period.
“As we approach the end of the 2021/22 financial year, and against the backdrop of a heightened cyber threat environment, companies should review their cyber resilience settings and take appropriate actions,” Yanco said in an article he wrote for Listed@ASX.
Although the commission did not plan to prescribe technical standards or to provide expert guidance on cyber security, Yanco said ASIC would take action against firms to enforce cyber risk management obligations. Federal reforms that came into effect in 2019 mean that non-compliance with certain AFS licensing obligations, including obligations relating to how cyber risks are addressed, may give rise to a civil penalty.
In May the Federal Court supported ASIC’s action against representatives of RI Advice Group following several cyber incidents between June 2014 and May 2020. One of the security breaches gained access to an employee’s file server and was not detected for four months. The court found this single breach potentially compromised confidential and sensitive personal information of several thousand clients and others.
In her judgment imposing a $750,000 fine against the company, justice Mary Rofe said while it was not possible for a company to reduce cybersecurity risk to zero, adequate cybersecurity documentation and controls could materially reduce that risk.
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” Justice Rofe said.
Yanco explained cyber resilience involved risk mitigation and reporting processes. He advised companies to consider steps beyond how to prevent or respond to an attack, and also focus on a company’s ability to adapt and recover following a breach.
He also recommended senior managers and boards ensured they understood the overall cybersecurity risk exposure, as well as regulatory obligations to report breaches to ASIC, ACSC or the Office of the Australian Information Commissioner. Disclosure requirements to the market may also be relevant, he added.
“We encourage regulated entities to reassess their cyber risks and ensure their detection, mitigation and response measures adequately address their risk appetite,” Yanco said.
“They should also assess their preparedness to respond to cyber security incidents, and to review incident response and business continuity plans.”
The Auditing and Assurance Standards Board (AUASB) has also published guidelines for company auditors about cybersecurity risks to consider in a financial report audit.