ASIC Raising the Bar on Cyber Security

The Australian Securities and Investments Commission (ASIC) is ramping up its emphasis on cybersecurity with a specific focus on bolstering cyber resilience. Its Chair Joe Longo has strongly indicated that ASIC is prepared to commence proceedings against boards and directors that fail to prepare adequately. Dive into our analysis to see how these initiatives are shaping Australia’s cyber security norms, and what that means for Australian businesses. 

Background: ASIC’s Focus on Cyber Security 

 ‘For all organisations, cyber security and cyber resilience must be a top priority. ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.’ – ASIC Chair Joe Longo  

ASIC Prepared to Prosecute Boards & Senior Executives 

In a keynote speech at the Australian Financial Review Cyber Summit in September this year, ASIC Chair, Joe Longo emphasised the imperative for boards to prioritise cyber security and cyber resilience. Chair Longo highlighted that neglecting to accord sufficient priority to these aspects “creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC”. This sentiment was echoed at the ASIC Annual Forum on 21 November 2023, where Chair Longo reaffirmed that addressing governance and directors’ duties failures would remain an enduring priority for ASIC in 2024.  

While ASIC has powers to charge directors with breaches of director duties, Chair Longo conveyed that ASIC will commence proceedings if it believes directors or boards failed to take reasonable steps or make appropriate investments to adequately prepare for cyberattacks.  

ASIC’s Cyber Pulse Survey 

On 13 November 2023, ASIC also published the results of its 2023 Cyber Pulse Survey, which measured participants’ ability to manage cyber risks, protect information assets, and manage and recover from cyber incidents. Some key findings were:  

• 44% of participants do not manage third-party or supply chain risk 
• 58% of participants have limited or no capability to adequately protect confidential information  
• 33% of participants do not have a cyber incident response plan 
• 20% of participants have not adopted a cyber security standard 

Considering the heightened focus on cyber risk by Australian regulators, including ASIC, the OAIC and APRA, and the scrutiny from class action lawyers regarding lapses in preparation or response, these findings should cause concern for organisations lacking a robust understanding of cyber risk and resilience.  

Key Takeaways for Australian Organisations: ASIC’s Cyber Security Focus  

Given ASIC’s heightened focus on cybersecurity, proactive measures are crucial to not only avoid potential regulatory action but also to reduce the risk of a successful cyber-attack on your business. We recommend the following:  

• Third party risk management – Mitigate third-party risk by performing pre-contractual due diligence on prospective suppliers’ security posture. Monitor ongoing compliance and require suppliers to provide independent audit reports, demonstrating adherence to contractual security obligations or industry standards.  
• Internal data audits – Conduct comprehensive internal data audits to identify and protect critical data, personal information, and vital systems. The recent cyber-attack on DP World underscores the importance of safeguarding both information and critical systems to prevent business disruption and loss.  
• Cyber incident response plan – Develop a robust cyber incident response plan outlining procedures for key systems, roles of stakeholders, and regulatory and legal obligations. Regularly test plans through tabletop exercises to identify gaps and areas for improvement.  
• Regular audits and plan updates – Continuously revise and update cyber incident response plans and conduct regular audits. Given the dynamic threat landscape, maintaining vigilance is essential, and boards should not adopt a ‘set and forget’ approach.  
• Cyber insurance awareness – Acknowledge that cyber insurance policies may not automatically cover all risks. Having a policy in place should not instil complacency; organisations should remain vigilant against cyber threats.  

About Privacy 108 

Privacy 108 is a specialist data privacy and cyber security consultancy. Our mission is to help our clients manage risks and opportunities at the intersection of privacy, cyber security and data governance in a holistic and sustainable way.  

We help our clients implement privacy, data management and cyber security programs, including improving transparency, embedding privacy by design, delivering training and awareness initiatives, managing data risks, assessing vendors and third-party risk, and more.  

Ready to enhance your organisation’s privacy, data governance and cyber security resilience? Reach out to us below, and let’s talk about a more secure and resilient future tailored to your organisation’s unique needs.