Company directors have been put on notice that they will come under scrutiny from the corporate regulator if their businesses are hacked by cyber criminals and they failed to prioritise cybersecurity.
Australian Securities and Investments Commission chairman Joe Longo said the major cyberattacks against Optus and Medibank Private last year were a “wake-up call” for company directors.
ASIC chairman Joe Longo said attacks on Optus and Medibank Private were a wake-up call. Natalie Boog
“Cyber should always have been a top risk facing corporate Australia, it’s just that recent events have reminded people why it should be considered a top risk,” he said in an interview with The Australian Financial Review.
“For all boards, I think cyber resilience has got to be a No. 1 risk facing everyone.
“From my perspective, I see it as the top of the house, the board of directors level, issue.”
Mr Longo said boards of directors generally understood cyber was a risk, but the challenge was determining what was an appropriate level of investment to minimise the risk of an intrusion.
“That will vary with the size of the business, the nature of the business, what advice they’re getting about the systems they should have in place,” he said.
Mr Longo said ASIC could not pre-emptively tell a company the investments they needed to make.
“If things go wrong, ASIC will be looking for whether they took reasonable steps and made reasonable investments proportionate to the risks that their business poses to defend themselves from this kind of attack,” he said.
Mr Longo signalled there was no imminent action planned against the directors of Optus and Medibank Private.
“I think at this stage the major priority has to be to encourage boards and to remind them of the obligations in this area,” he said.
The Federal Court last year ruled that RI Advice, a financial planning licensee formerly owned by ANZ and now part of Insignia Financial, breached the financial licence law by failing to protect against nine cyberattacks that put confidential client data at risk.
“It’s a condition of your licence to have systems and processes to deal with this risk,” Mr Longo said.
The court found RI Advice had a number of inadequate risk management practices across its network, including some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices.
Inadequacies in its cybersecurity risk management led to a number of cyber incidents affecting clients in the six-year period to May 2020.
In her judgment, Justice Helen Rofe made it clear that cybersecurity should be front of mind for all AFS licensees.
She acknowledged that while ‘[i]t is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls…’
There has been a surge in the number of data breaches that have garnered public attention since last year. As well as Optus and Medibank, companies including Vinomofo, MyDeal, Australian Clinical Labs, and another local Singtel subsidiary, Dialog, have also revealed they have suffered breaches of varying levels of complexity.
ASIC is not the primary cyber regulator.
The federal government’s Australian Cyber Security Centre, based within the Australian Signals Directorate, provides advice and information about how to protect businesses online and provides advice to individuals, businesses and critical infrastructure operators when there is a cyber incident.
The Australian Cyber Security Centre received more than 76,000 cybercrime reports in 2020-21.
The centre reported a rise in the average cost per cybercrime report to more than $39,000 for small businesses and $88,000 for medium-sized businesses.
Follow the topics, people and companies that matter to you.
Fetching latest articles
The Daily Habit of Successful People