Cyber safety a company culture matter
By Greg Yanco, Executive Director, Markets
Listed businesses must be ready to respond when their operations are threatened by online criminals, writes ASIC Executive Director of Markets, Greg Yanco
Earlier this year, the World Economic Forum released its annual Global Risks Report 2022. Failure of cyber security measures was the number one risk for Australian executives, even before Russia’s invasion of Ukraine and the resultant increase in global instability.
Shortly after, the Australian Cyber Security Centre (ACSC) issued an alert recommending all local organisations adopt an enhanced cyber security position. Currently there are no specific or credible threats to Australian organisations, but that could change. As such, ASIC strongly encourages listed entities to act on the ACSC’s advice and improve cyber resilience.
ASIC’s December 2021 resilience report showed firms operating in Australia’s markets had a small but steady improvement in cyber resilience. However, the increase of 1.4% fell far short of the 14.9% improvement targeted for the period.
This shortfall was in part attributable to pandemic-related disruptions. As we approach the end of the 2021/22 financial year, and against the backdrop of a heightened cyber threat environment, companies should review their cyber resilience settings and take appropriate actions.
We encourage regulated entities to re-assess their cyber risks and ensure their detection, mitigation and response measures adequately address their risk appetite. They should also assess their preparedness to respond to cyber security incidents, and to review incident response and business continuity plans.
ASIC is not seeking to prescribe technical standards or to provide expert guidance on cyber security. Where we consider a firm has not met its cyber risk management obligations, we may consider enforcement action to drive changes in behaviour. This is illustrated by ASIC’s proceedings against RI Advice Group. We argued it failed to have adequate policies, systems and resources in place to appropriately manage risk relating to cyber resilience.
Risk mitigation and reporting
Cyber resilience is the ability to prepare for, respond to and recover from a cyber incident. Resilience is more than just preventing or responding to an attack. It takes into account the ability to adapt and recover from such an event.
The dynamic nature of the cyber-threat landscape means entities should embed a comprehensive and long-term commitment to cyber awareness and resilience within their company culture. This may include regular and ongoing delivery of cyber-related training and awareness and education messages to staff.
These initiatives should go hand-in-hand with threat-response planning, examining the firm’s reliance on all third-party providers, and the potential impact of breaches to those providers’ controls.
Boards and senior management should continue paying close attention to their entity’s overall risk exposure.
This includes meeting cyber security–related regulatory obligations such as reporting breaches to ASIC, ACSC or the Office of the Australian Information Commissioner as required. Where necessary, they should also pay close consideration to disclosure requirements to the market, as well as in financial reporting.
Guidance and resources
ASIC has published a good practice guidance and key questions for boards to ask about cyber-risk management. We also have a number of resources to help companies improve their cyber resilience. For more information visit www.asic.gov.au/cyber-resilience.
Company auditors can also refer to guidelines produced by the Auditing and Assurance Standards Board (AUASB) bulletin, The Consideration of Cyber Security Risks in an Audit of a Financial Report, on the AUASB website.
This article was first published in ASX’s Listed@ASX magazine in June 2022.