Latest Products

From the Archives: Cyber Risk Management Expectations: ASIC

Friday 30 September 2022

Directors will be held accountable for cyber risk management.   

This week Australian Securities and Investments Commission (ASIC) Commissioner Daniel Press wrote in an article published on the regulator’s website and The Company Director, “ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations.”

Press listed the regulatory expectations for directors:

  • Consider their risk management framework and risk appetite to ensure it adequately deals with cybersecurity risk
  • Enquire about incident response and business continuity plans to determine the organisation’s preparedness to respond to cybersecurity incidents
  • Ensure access to appropriate resources to effectively manage cybersecurity risk, whether it be in-house or through commercial arrangements.
This comes just a year after the close of the consultation process by treasury for the Financial Accountability Regime (FAR), which will not only have an impact on directors. 
Cyber Risk and Licensing Breach
In her article Press refers to the judgement ASIC vs RI Advice which found for the first time the financial entity breached licensing obligations by not having adequate processes to mitigate cyber risk. 

At the time of the judgement, Deputy Chair Sarah Court said, “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access. ”

ASIC chair Joe Longo said in speech  earlier this year on the result of ASIC vs RI Advice, “This decision makes clear that licensees must ensure they have adequate technological systems, policies, and procedures in place to protect sensitive client information from cyber attacks.”
Cyber Threat Landscape
The  Australian Cyber Security Centre (ACSC)  Annual Cyber Threat Report: 1 July 2020 -30 June 2021 listed six key cyber security threats for the previous financial year:

  • Exploitation  of the pandemic environment
  • Disruption of essential services  and critical infrastructure
  • Ransomware
  • Rapid exploitation of security vulnerabilities
  • Supply chains
  • Business email compromise
During the 2020-2021 period 67, 500 cybercrimes were reported which reported 13 percent increase from the previous financial year. This adds up to $ 33 billion in self-reported losses. 

The report highlighted fraud and scams as the most highly reported cyber crimes with 23 per cent of all cybercrimes being fraud. 
ASIC chair said earlier this year, “ASIC does not seek to prescribe technical standards or to provide expert guidance on cyber security. But where we consider that a firm has not met its cyber risk management obligations, we will consider enforcement action to drive changes in behaviour.”