Rock IT

ASIC to scrutinise directors who ignore cyber security

ASIC to scrutinise directors who ignore cyber security

The corporate regulator is expected to step up its scrutiny of directors who fail to properly manage the risk of cyber attacks as a new report warns that within four years the cost of cybercrime globally will exceed $6 trillion annually.

The MinterEllison Perspectives on Cyber Risk Report 2017 found that while awareness of the importance of cybersecurity had increased, almost half of the Australian executives and directors surveyed said their board was still only briefed once a year about the risks and 13 per cent had no briefings at all.

Only half of the responses from chief information officers said their organisations had increased their expenditure on cybersecurity in the past 12 months.

The percentage of CIO respondents who indicated that they were either somewhat or very dissatisfied with their organisation’s capability to prevent cyber incidents doubled, from 18 per cent in 2015 to more than 40 per cent in 2016.

“A majority of board members still think this is an IT issue. Yet IT sees it as an enterprise-wide risk issue. It should be on the board agenda and ASIC (Australian Securities and Investments Commission) thinks it should be on the same agenda,’’ said MinterEllison head of cyber Paul Kallenbach.

ASIC has previously warned that the dynamic nature of the cyber threat meant that “a comprehensive and long-term commitment to cyber resilience must be embedded within organisations’ culture”.

It also claimed that the obligations on company directors and officers to discharge their duties with care and diligence extended to cybersecurity.

ASIC’s four-year plan released last year identified cyber resilience as a key priority, signalling increased regulatory scrutiny of this issue. The regulator’s cyber-risk taskforce (financial markets) is collaborating with industry, regulators and the government on the issue.

“Regulators are alive to this and it may well be we start seeing some serious regulatory action when it comes to cyber,” Mr Kallenbach said. “We haven’t had any clients on the receiving end of nasty letters from ASIC as yet but they have been talking about this for many months and they have made some very bold statements in the past two months.

“They are setting the scene I would say. Woe betide the organisation that carelessly does not address this.

“Also, litigation funders haven’t worked in this space but that seems only a matter of time.”

It comes as some of the world’s biggest companies have been hit by cyber attacks in the past year including eBay, LinkedIn, Target, Sony, SWIFT and the Red Cross.

The Australian Bureau of Statistics was also infamously the target of a cyber attack during last year’s census.

The MinterEllison survey found that in 2015, only 8 per cent of respondents reported that their organisations had been subjected to cyber incidents in the previous 12 months that had compromised their systems or data. Last year, ASIC is focusing on how seriously company directors deal with cyber security threats.

The San Francisco-based UpGuard, as it is now known — which calls itself the world’s first “cyber-resilience’’ platform — is also opening an office in Sydney that will be the springboard for its Asia-Pacific expansion plans.

“While you need to have good end point and perimeter technology in place, ultimately it is not a technology issue, but a people issue. You need to embed a culture of security in the organisation.

Most of these cyber incidents are socially engineered now,’’ Mr Kallenbach said.

Each year MinterEllison surveys executives including legal counsel and risk managers as well as board members from both public and private-sector organisations across a wide range of industries about cybersecurity issues, with more than 100 in-depth responses forming the latest survey.

Author: Damon Kitney, The Australian