ASIC Viewpoint: Don’t leave it to the IT guy
Published by the Australian Financial Markets Association in AFMA Member News, May 2017.
Over recent weeks cyber crime has captured international headlines. The reason why is simple – a cyber attack can quickly cause havoc to an organisation, threatening its capacity to operate. Cyber crime that affects financial services can also destabilise markets, eroding investor trust and confidence in Australia’s financial system.
The average cost of cyber crime to Australian companies is now estimated to be over $5.6 million per incident. The increasing incidence, complexity and reach of cyber crime can destroy a company’s value overnight – dragging its share price and reputation down with it.
Raising the cyber security awareness of your organisation’s leadership has never been more important. While cyber risk now features in the ‘top 10’ risks for most boards, it is also a risk that directors and executive leaders are still developing their understanding of.
Late last month, ASX launched the ASX 100 Cyber Health Check report. The report examines the cyber security risk-awareness of Australia’s top-100 listed companies. It also looks at their cyber risk prevention and response measures.
The health check is one of the initiatives of Government’s Cyber Security Strategy; and was a joint collaboration by ASX, ASIC, Government and industry. Companies in the ASX 100 were invited to participate in the survey, which explored their level of cyber awareness, preparedness and resilience.
One of the key trends identified in the report is that, while companies are managing cyber risk better, there’s still more to do.
And the pressure for organisations to improve their cyber governance is not just coming from regulators – it can also be attributed to:
- customers and clients, who expect companies to have robust cyber risk strategies to manage their confidential data, and
- shareholders, who expect companies to have effective cyber risk frameworks in place.
What should you be doing?
Cyber risk is not an issue that you can leave to the IT department. It must be addressed at all levels of your business, and should form an integral part of your governance and risk management frameworks.
Following on from our cyber resilience reviews in 2015 and 2016 (see Report 429 and Report 468), we have conducted ongoing reviews of the cyber risk management practices of intermediaries in Australia’s financial markets. The results of these reviews indicate that there are significant differences in the cyber security approaches of some of the largest organisations in our markets. While some organisations have moved beyond IT-related cyber risks, others are still looking for a way forward – particularly where expertise is not readily available or accessible.
To properly manage emerging risks, your organisation needs to take a proactive approach to early identification, impact assessment, prioritisation and preventative action. Being proactive requires boards and executive management to become involved in cyber risk discussions, rather than sitting back and reviewing the results of audit reports or dashboards on IT risk management initiatives.
Effective cyber risk management requires consideration of each of the factors that contribute to your organisation’s cyber risk profile, including:
- IT system risks
- third-party risks
- insider threats (including human error)
- motivations of threat actors that may target your organisation
- observations of other organisations’ cyber threats (e.g. through participation in threat sharing forums), and
- identification and classification of information assets, including the commercial risk of a slow response to a cyber incident if information assets are compromised.
Firms need to find a way to coordinate these risks into a single comprehensive cyber risk assessment – one which also considers the human factor in each of these risks. Developing these cyber risk management skills now is critical to any organisation that is looking to build an organisation for the future economy.
To help you evaluate your organisation’s cyber effectiveness and identify opportunities for improvement, the ASX 100 Cyber Health Check report sets out a framework that can be used to benchmark your organisation against the market.
ASIC Report 468 also lists a number of questions for corporate leaders to consider when reviewing their risk management framework. Asking these questions now will make sure that you are ready when customers, clients and shareholders begin asking boards and executive management the tough questions.