Share this article on:
The corporate regulator has issued a warning to company directors that failure to address cyber security could see them fall short of their regulatory obligations.
Editor’s note: This story first appeared on Cyber Security Connect’s sister brand, ifa.
ASIC commissioner Danielle Press said that the landmark ruling against RI Advice — which found that the local firm breached its licence obligations by failing to have adequate risk management systems to manage its cyber security risks — should serve as a timely reminder for company directors about cyber security risk oversight and disclosure obligations.
In May, Lawyers Weekly unpacked the lessons for lawyers coming out of this “Australian first” case, in which RI Advice was ordered to pay $750,000 towards the Australian Securities and Investments Commission’s (ASIC) costs.
“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations,” commissioner Press said.
“Measures taken should be proportionate to the nature, scale and complexity of your organisation — and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.
“ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain.”
Commissioner Press said that in a bid to drive a strong “cyber resilience culture”, company directors should look to assess their current risk management framework and make adjustments where needed, inquire about incident response and business continuity plans and ensure access to resources to effectively manage cyber security risks.
Commissioner Press also reminded directors that they might be required to disclose cyber risks and incidents and that failure to do so may be a breach of their directors’ duties.
Following the ruling against RI Advice, ASIC reported a “significant number” of cyber incidents that occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
The comments follow predictions that expanded definition of critical infrastructure sectors may catch small businesses out in failures to report cyber attacks, and a report from a BigLaw firm that such attacks will have “severe financial and reputational consequences” in 2022.
[Related: Applications open for new round of Cyber Gap program]