A recent federal court decision is a timely reminder for company directors about cybersecurity risk oversight and disclosure obligations, writes ASIC Commissioner Danielle Press.
So you have a risk management framework – but doesn’t adequately address cybersecurity risk?
In an Australian first, an Australian financial services (AFS) licensee has been found to have breached its licence obligations after failing to adequately manage its cybersecurity risks and ensure the financial services covered by its licence were provided fairly and efficiently.
Cyber risk has been recognised by writers published by the World Economic Forum as “the most immediate and financially material sustainability risk that organisations face today”. The decision in ASIC vs RI Advice Group Pty Ltd serves as a timely reminder for company directors about cybersecurity risk oversight and disclosure obligations.
ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations.
Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cybersecurity risks on an ongoing basis, based on threat intelligence and vulnerability identification. ASIC also expects this to include oversight of cybersecurity risk throughout your organisation’s digital supply chain.
In her judgment in ASIC vs RI Advice Group, Justice Helen Rofe acknowledged that while “it is not possible to reduce cybersecurity risk to zero… it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls”.
We expect directors to educate and equip themselves to drive their organisation’s cyber resilience culture. ASIC encourages directors to:
But, it doesn’t end there.
Company directors may be required to disclose cybersecurity risks and cyber incidents in a number of circumstances. For example:
Your organisation may also be subject to enhanced cyber and other security obligations under other legislation, such as the Security of Critical Infrastructure Act 2018 or the Privacy Act 1988, which includes a mandatory reporting regime. You should also consider whether your organisation is dual-regulated. If so, you will have to comply with the disclosure standards of other regulators, such as the Australian Prudential Regulation Authority (APRA).
Company directors should beware that failure to adequately address cybersecurity risk or comply with relevant disclosure and reporting requirements, may be a breach of their directors’ duties.
More information on cyber resilience good practices and key questions for boards of directors.
This article was first published in AICD’s Company Director magazine in July 2022.