A recent federal court decision is a timely reminder for company directors about cybersecurity risk oversight and disclosure obligations, writes ASIC Commissioner Danielle Press.
So you have a risk management framework – but does it adequately address cybersecurity risk?
In an Australian first, an Australian financial services (AFS) licensee has been found to have breached its licence obligations after failing to adequately manage its cybersecurity risks and ensure the financial services covered by its licence were provided fairly and efficiently.
Cyber risk has been recognised by writers published by the World Economic Forum as “the most immediate and financially material sustainability risk that organisations face today”. The decision in ASIC vs RI Advice Group Pty Ltd serves as a timely reminder for company directors about cybersecurity risk oversight and disclosure obligations.
ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations.
Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cybersecurity risks on an ongoing basis, based on threat intelligence and vulnerability identification. ASIC also expects this to include oversight of cybersecurity risk throughout your organisation’s digital supply chain.
In her judgment in ASIC vs RI Advice Group, Justice Helen Rofe acknowledged that while “it is not possible to reduce cybersecurity risk to zero... it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls”.
We expect directors to educate and equip themselves to drive their organisation’s cyber resilience culture. ASIC encourages directors to:
- Consider their risk management framework and risk appetite to ensure it adequately deals with cybersecurity risk
- Enquire about incident response and business continuity plans to determine the organisation’s preparedness to respond to cybersecurity incidents
- Ensure access to appropriate resources to effectively manage cybersecurity risk, whether it be in-house or through commercial arrangements.
But, it doesn’t end there.
Company directors may be required to disclose cybersecurity risks and cyber incidents in a number of circumstances. For example:
- In the event of a cyber incident, you should consider disclosure of the incident to the relevant market operator in a timely manner.
- If a cybersecurity risk poses a material risk to your organisation, you should consider disclosure of that risk in your annual operating and financial review.
- Whether or not a cyber attack or cyber event has occurred, where it could cause a direct or indirect financial impact to your organisation, disclosure in your annual financial report may be appropriate to avoid the risk of a material misstatement.
- If you are an AFS licensee, you may also have an obligation to report the incident to ASIC.
Your organisation may also be subject to enhanced cyber and other security obligations under other legislation, such as the Security of Critical Infrastructure Act 2018 or the Privacy Act 1988, which includes a mandatory reporting regime. You should also consider whether your organisation is dual-regulated. If so, you will have to comply with the disclosure standards of other regulators, such as the Australian Prudential Regulation Authority (APRA).
Company directors should beware that failure to adequately address cybersecurity risk or comply with relevant disclosure and reporting requirements, may be a breach of their directors’ duties.
More information on cyber resilience good practices and key questions for boards of directors.
This article was first published in AICD's Company Director magazine in July 2022.