By Thea Eszenyi, Senior Executive Leader, Registered Liquidators
Reported incidence of cyber threats has increased during the COVID-19 pandemic, as individuals and organisations increasingly rely on the internet to work remotely, communicate electronically, and access information and services online.
To address increasing cyber risk, ASIC’s Corporate Plan 2021-25 aims to support enhanced cyber resilience and cyber security among its regulated population – in-line with the whole-of-government commitment to mitigating cyber risk.
To understand the landscape for registered liquidators (RLs), we surveyed RLs about their cyber security practices in May 2021. The Survey of registered liquidators on cyber security awareness and controls built on our 2019 Survey of registered liquidators on external administration funds handling. The 2021 survey aimed to raise awareness and obtain insights into RLs’ cyber security policies and procedures and determine the level of RL awareness and cyber risk management. Around half of the 651 RLs responded to the survey.
So, what are our key observations from the survey results?
The majority of RLs reported encountering cyber security risks, such as phishing emails, untrustworthy websites, and text and telephone-based scams, on a weekly or monthly basis. Promisingly, almost all RLs, regardless of firm size, have a reasonable understanding of specific cyber security-based controls. They are also aware of the frameworks their firm has in place to combat any potential cyber security risks and they understand their firm’s cyber security policies. Importantly, two thirds are confident in identifying cyber threats.
Regular training is vitally important to protect against cyber incursions, so it was promising to see that around half of respondents had undertaken comprehensive cyber security training in the last year – most on an annual or bi-annual basis.
Notwithstanding the levels of awareness and training, only around two thirds were very confident in their firm’s ability to resolve a cyber security breach or incident with minimal ramifications. With slightly over two thirds reporting they would rectify a security breach immediately.
However, less than half of RLs fully or partially follow the ISO/IEC 27001 Information Security Management standard to protect their information assets. This is an area where RLs could seek appropriate additional training and advice.
ASIC urges all RLs to foster a firm-wide culture of cyber awareness by regularly engaging in cyber-related training and delivering awareness and education messages to staff. This goes hand-in-hand with considering the firm’s response plan to a threat, including examining any reliance on third-party providers and potential impacts of breaches to providers’ controls.
Of the RLs who have encountered a cyber incident, the majority indicated they did not report it to any authority. We suggest RLs consider whether an incident represents a notifiable data breach and whether to report it to the police, the Australian Cyber Security Centre or, in cases when personal information is accessed or disclosed without authorisation or is lost, it is an eligible data breach that requires mandatory reporting to the Office of the Australian Information Commissioner. In addition, by reporting a cyber incident to ASIC, RLs will help ASIC inform other RLs of current cyber-attacks and risk activity.
Insolvency-related insurance specialists can help RLs better understand the insurance policies they have in place and what else may be available to provide appropriate cover against cyber threats. They may also help the RL to comply with the insurance obligations set out in Regulatory Guide 258 Registered liquidators: Registration, disciplinary actions and insurance requirements.
As part of their ongoing cyber risk mitigation strategies, ASIC hopes RLs consider the level of protection required to mitigate against cyber threats and respond to cyber-attacks. Additionally, we encourage RLs to progressively implement strategies to achieve the level of risk mitigation appropriate for their firm and the work they do. RLs might consider the Essential Eight Maturity Model from Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents, which provides mitigation strategies with a focus on those operating Microsoft Windows-based internet-connected networks.
For more information and other useful resources visit the Australian Cyber Security Centre (www.cyber.gov.au), or search ‘cyber resilience’ on the ASIC website.
This article was first published in the ARITA Journal in December 2021.