At A Glance
- ASIC is intensifying its focus on entities neglecting cybersecurity, with Chairman Joe Longo emphasising the importance of cyber resilience for all boards.
- ASIC's "cyber pulse survey" is a comprehensive initiative assessing Australia's cyber resilience, backed by the Department of Home Affairs' cybersecurity ambitions for 2030.
- Recent cyber breaches at major firms like Optus and Medibank underscore the urgency; despite the challenges, companies are advised to emphasise resilience over impenetrability in cybersecurity measures.
Amplifying Cyber Defenses: From Executive Oversight to National Infrastructure
The national corporate watchdog is setting its sights on board members and executives failing to appropriately safeguard against cyber threats. The Australian Securities and Investments Commission (ASIC) intends to pursue legal actions against those entities that neglect their cybersecurity duties.
"For all boards, cyber resilience has got to be a top priority. If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses." - Joe Longo, Chairman of ASIC.
Previously, ASIC has prosecuted only one Australian firm over lackadaisical cybersecurity readiness. However, Chairman Longo indicates a more aggressive stance going forward, with his team actively identifying companies that may have taken shortcuts in their cybersecurity measures.
This past June, ASIC unveiled its revamped initiative via the "cyber pulse survey," touted to be one of the most comprehensive dives into Australia's cyber resilience. The survey aims to critically assess entities' present cybersecurity infrastructure, governance models, and readiness for potential incidents.
The Department of Home Affairs, a key player in the nation's drive towards becoming the world's cyber-fortress by 2030, expressed enthusiasm for the survey.
"As the Department supporting the Minister for Cyber Security and the government’s mission, we're eager to see the outcomes of this extensive survey," they stated.
Echoing the urgency of the matter, ASIC's Executive Director of Markets, Greg Yanco, emphasised:
"Recent high-profile cyber attacks underscore the imperative for all businesses, irrespective of size, to bolster their cyber defences. The increasing frequency and intricacy of these attacks warrant a robust cybersecurity posture for all entities."
For quite some time, ASIC has been deeply invested in the cyber robustness of Australia's financial services and markets. It's anticipated by ASIC that directors of public firms maintain a risk management framework that thoroughly tackles cybersecurity threats. Furthermore, measures should be put in place to safeguard essential assets and bolster cyber resilience.
In the same vein, the Cyber Summit featured Home Affairs Minister Clare O’Neil laying out her vision to prevent companies from selling cyber-vulnerable products. This is part of a broader six-pillar strategy central to the government’s Cybersecurity initiative.
"These shields will help protect our businesses, our organisations and our citizens. It will mean that we have a cohesive, planned national response." - Clare O’Neil on the upcoming Cybersecurity Strategy.
Recounting the past, the Minister re-revisited the cyber breaches experienced by major firms Optus and Medibank, which are treated as stark reminders of the threats present. O’Neil had, at the time, criticised Optus for being careless, which is now the kind of behaviour ASIC aims to clamp down on.
Chairman Longo advocates that all boards should maintain a clear risk-management strategy in place.
Recent statistics from the Office of the Australian Information Commissioner reveal that there were 409 data breaches in the first half of the year alone, while the Australian Bureau of Statistics noted that approximately one-fifth of all businesses were hacked last year.
Contrary to seeking an impenetrable defence, Mr. Longo emphasises resilience in cyber preparedness:
“That’s not possible. Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cybersecurity incident.”
Although specific penalties were not outlined in the speech, ASIC's online platform suggests substantial consequences for those who fall short in cyber readiness.
Challenges remain in holding businesses accountable for cybersecurity lapses, especially with companies like Optus and Medibank choosing not to publicise their independent breach reviews. Meanwhile, the Australian Prudential Regulation Authority has made moves by penalising Medibank, instructing them to reserve $250 million for potential data breach-related issues.
Furthermore, despite the Cybersecurity Minister O’Neil suggesting that tech companies might soon bear responsibility if their products are breached, Mr. Longo counters:
“So many businesses rely on third parties for software and critical services. This reliance means potential access to confidential data and other critical resources if those third parties are breached. This is a serious weakness.”
Highlighting the amplified focus on corporate cybersecurity, the appointment of Air Marshal Darren Goldie as the national cybersecurity coordinator is of note. Also, in February, companies crucial to Australia's national infrastructure were directed to amplify their cybersecurity investments, a move that's projected to cost businesses close to $10 billion in total.
