It’s hard to believe that there have only been 36 cybersecurity attacks reported against ASX-listed companies in the last decade, although it's suspected that many breaches go unreported.
What is harder to believe, is that of these 36 attacks, only 11 properly reported the breach to the regulators before the media announced it. For the other 25, their share market investors heard of the breach over their morning coffee and not directly from the company in which they had invested. These 25 companies were likely in breach – and not just cyber breach.
Research by Professor Alex Fino has shown that, in the wake of a successful cyber attack, a company’s market value drops by 5 per cent – working out to be an average loss of half a billion dollars. This would appear to be a material, and therefore disclosable, event to the market.
In the past, failure to report a cyber breach prior to telling the media might have been treated as more of an ‘oops’ moment, and a slap on the wrist from the regulators. Not anymore.
The Federal Court has handed down the largest ever penalty against a company for breaching continuous disclosure laws, ordering GetSwift Limited (former ASX:GSW) (GetSwift) (in liquidation) to pay a penalty of $15 million.
The Court described GetSwift as a company that “became a market darling because it adopted an unlawful public-relations-driven approach to corporate disclosure instigated and driven by those wielding power within the company.”
The recommended fines from ASIC were doubled by the Federal Court – signalling the seriousness of the repeated failures to disclose. Now, while the case of GetSwift involved 22 failures to disclose, with the increasing frequency and severity of cyberattacks, ASIC has made it clear that cyber will be an increasing area of focus. Disclosure is not their only point of focus either, in the wake of ASIC v RI Advice Group Pt Ltd [2002] FCA 496.
The recent announcements by the labor government foreshadows the proposed changes in government, earmarked in the recently published Australian cyber security strategy 2023-2030 on the 27th February 2023. In this document, the Home Affairs and Cybersecurity Minister emphasised the need to increase Australia's number one position in cybersecurity. The discussion paper foreshadows the need for increased responsibility of company directors to provide early disclosure of cyber incidents.
The Albanese government has acknowledged that Australia has fallen behind other nations, and has announced a state of readiness by government and the private sector to handle mass-scale cyberattacks. In the wake of the Medibank and Optus cyber incidents, it has forced the government to now address corporate and directors’ responsibilities.
Experts within the private sector and in government foresee a review of the current legislation and implementation of the new CyberSecurity Act, drawing together cyber-specific obligations and standards across industry and government. They also make reference to whether further developments to the SOCI Act are justified.
The head of Zirilio Security Operating Centre ZSOC, Tim Dole, said “It’s easy to understand in the chaotic hours following the discovery of a cyber security attack on your business, that the minutiae of who needs to be told, and when, might overlook the attention of the in-house legal team, executive, board, and comms team”.
Unlike natural disasters, there are various strategies that can be put in place as a means to prepare the state of readiness and increase the quality of security posture in the organisations’ enterprise networks and data security systems.
“It’s a matter of planning, preparation, and practice. Rehearsing and implementing periodical vulnerability assessments will aid complete visibility into the enterprise network, including all networked devices and their associated operating systems, applications and vulnerabilities”, said De Boer.
Following the latest national cyber incidents in 2022, the Australian Cyber Security Centre (ASCS) has engaged with industry to assist. Boards and executives can access support and be guided in all aspects of the organisation, including the risk posture of an organisation. Experts in cyber providers now have a pivotal role in providing guidance to enterprise-wide efforts, stemming from the direction of the board, the chief executives, through to the heads of technology, and every single end-user in the organisation.
The recent increase in cyber attacks has provided greater attention to state federal governments authorities, legal experts and cyber risk leaders developing clearer communication and presenting resources that will also enable improvement of directors’ duties and management of corporate disclosure responsibilities.
