Cyber security and directors
How cyber resilient is your organisation? Responsibilities of directors in assessing material business risks.
Cathie Armour, Commissioner
This article was submitted to the Australian Institute of Company Directors for publication in the Company Director magazine on 1 April 2015
The digital economy provides great opportunity for economic growth. Australians are rapid adopters of technology with 7.5 million Australians accessing the internet via their mobile phones in 2013, an increase of 33% from 2012. 
At the same time, there has been a significant growth in the number and severity of global cyber-attacks in the last few years with the estimated annual cost of cyber-attacks to the global economy at more than $400 billion.
A cyber-attack can affect us all. It can undermine businesses and impact our economy. It may also erode investor and financial consumer trust and confidence in the financial system and wider economy. The question for directors is how cyber resilient is your organisation?
Cyber resilience is an organisation’s ability to prepare for and respond to a cyber-attack and continue operation during, or quickly adapt and recover from, a cyber-attack.
Entities in the financial sector licensed by ASIC, have legal obligations including risk management and disclosure requirements and ASIC expects cyber resilience will be addressed as part of these obligations.
Depending on the severity, a failure to meet these obligations could have consequences for an entity holding a financial services licence - fines, penalties, enforceable undertakings, licensing conditions, or a license suspension or cancellation. For directors or company officers, it could result in being disqualified from your role in the financial services industry.
Responsibilities for all directors
More broadly across all industries, effective cyber resilience requires leadership and a commitment of resources to develop strategies, including responses to a cyber-attack. ASIC encourages company officers to assess their entity's threats and vulnerabilities now, and understand what, where and how its most valuable information is held. This assessment will allow an entity to prioritise resources to mitigate the effect of a cyber-attack. Effective corporate governance involves active engagement by directors and the board in managing cyber risks. Directors need to specifically ask:
- how cyber risks may impact on your director’s duties and annual director report disclosure requirements;
- whether you have appropriate board-level oversight of cyber risks and cyber resilience; and
- has a consideration of cyber risks been incorporated into your governance and risk management practices, and controls and measures for managing those risks?
Directors of listed entities must ensure annual disclosure of material business risks that could adversely affect the achievement of the financial performance or financial outcome described. Cyber risks and resilience may need to be taken into account in an assessment of these material business risks.
Cyber risks may also impact on directors' disclosure requirements to investors. A prospectus or information statement requires disclosure of relevant information that may affect an investor's decision, including the nature of the risks of investing in the securities.
Directors may consider whether cyber risks form part of information investors and their advisers would reasonably require to assess any offer, and should be disclosed in a prospectus.
For listed entities, directors must immediately disclose ‘market sensitive information’ to the market operator once they become aware of the information. As a result, directors need to consider how and when a cyber-attack may need to be disclosed as ‘market sensitive information’.
ASIC considers the US developed NIST Framework has particular relevance as a standard to manage cyber resilience for financial service providers operating globally. It is expected to become a de facto global benchmark for financial markets.
The Australian government has established the Computer Emergency Response Team (CERT) which provides free advice and support on cyber threats and cyber vulnerabilities to owners and operators of Australia’s critical infrastructure and other systems of national interest. ASIC encourages major financial institutions and market infrastructure providers to partner with CERT before an incident occurs, and report all cyber security incidents to CERT.
ASIC will publish a paper on cyber security in March, which will be available on www.asic.gov.au.