On Monday 18th September 2023, ASIC Chairman Joe Longo issued a warning to Directors at a Cyber Security Summit, stating cyber security responsibilities are the role of directors to ensure robust cyber security within their businesses which has become more critical than ever. The Australian Securities and Investments Commission (ASIC) has recently emphasized the importance of this duty, warning that directors who neglect cybersecurity may face regulatory action.
As Directors, what do we need to do to ensure we are meeting our cyber security obligations according to Mr Longo?
1. Understand Cyber Readiness
Cyber readiness goes beyond creating an impenetrable fortress of security. It encompasses building the capability to respond effectively to cyber threats. This means not just preventing attacks but also being prepared to weather significant cybersecurity incidents. To achieve this, directors must engage in comprehensive planning for potential cyber threats and develop a well-structured risk management strategy.
2. Testing and Continuous Risk Assessment
Having a recovery plan is essential, but it’s not enough on its own. Regular testing and ongoing risk assessment, including evaluating supply chain vulnerabilities, are critical for maintaining cyber resilience. Recent high-profile attacks on companies like Optus and Medibank have highlighted the importance of being prepared for worst-case scenarios.
3. Understand the Risk of Third-Party Providers
Relying on third-party providers introduces a layer of risk that directors must consider carefully. Unlike internal security measures, you have limited control over the security practices of these providers. Over-reliance on their security measures can leave your organization vulnerable if their defenses are compromised. A recent example is the Latitude Financial breach, which originated from an outside provider and affected millions beyond their customer base.
4. Identify weak links in Cyber preparedness
Mr Longo stated that ASIC has identified gaps in how organizations handle digital risks, including oversight by boards, management reporting, risk identification, and control implementation. Addressing these disconnects is essential to meet your legal obligations and ensure robust cybersecurity and resilience.
Understanding your regulatory obligations of cyber security responsibilities
Directors must prioritize cyber security responsibilities and resilience based on their organization’s nature, scale, complexity, and the criticality of key assets. Regularly reassessing cyber risks is vital.
Directors should also consider how to communicate with stakeholders if a cyber incident occurs. Having a well-defined response and recovery plan, thoroughly tested, is essential. Even the most robust defenses can be breached, making preparedness a top priority. Neglecting these areas not only poses risks to your business but also exposes directors to potential regulatory consequences. The government is focusing on compliance, and directors can be held accountable for negligence. Recent cases serve as cautionary tales, highlighting the importance of proactive cybersecurity measures.
In addressing this threat, BYRONS partners with Seccom Global in the oversight of our cyber security framework in our business and Seccom also provide cyber security risk assessment and security solutions for our business clients. Get in touch if you think this could be of benefit to your business.
Lock the front door of your virtual office is a recent article on Cyber Security to provide businesses with a stock take of operational actions to help address your cyber security responsibilities and secure your business environment.
By Paul Breedon, Partner at BYRONS.