ASIC chair Joe Longo warns of cyber failures

Friday, 01 December 2023

Joe Longo
Chair, ASIC

    Companies are under siege from cyberattacks, but many are failing to defend against a key threat, writes Australian Securities and Investments Commission chair Joe Longo. 

    For nearly a millennium, the ancient city of Constantinople stood impenetrable. Its great Theodosian walls — towering rings of limestone and mortar — withstood siege after siege. It was only when Ottoman invaders overwhelmed the defences with sheer numbers that the mighty citadel fell.

    In today’s world, this relentless onslaught is not coming over the walls, but from online and digitally connected networks. According to the Australian Signals Directorate’s Australian Cyber Security Centre, a new cyberattack is reported in Australia every seven minutes — and the pace of this incursion is intensifying. Globally, ransomware attacks are anticipated to occur every two seconds by 2031, an increase on every 11 seconds in 2021.

    The recent incidents with Optus, Medibank and DP World should make it clear that cyber threats must be a priority at the highest levels.

    Yet the recent Cyber Pulse Survey by the Australian Securities and Investments Commission (ASIC) found that organisations are more reactive than proactive when it comes to managing their cybersecurity. 

    Of greatest concern, 44 per cent of participants revealed they are not managing third-party or supply chain risks. A further 58 per cent of respondents indicated that they do not test cybersecurity incident responses with critical suppliers. Supply chain risks were not even on the radar of many organisations. Survey respondents nominated their top cybersecurity threats as phishing (26 per cent), ransomware (17 per cent), and business email compromise (13 per cent).

    However, supply chains pose a considerable financial, reputational and governance risk to your operations. Supply chain companies and vendors can become an entry point for attackers, enabling key systems to be infected, infiltrated and exploited. Consider how many vendors your company relies on. Most engage multiple third parties for an array of business-critical functions — from software

    and infrastructure to call centres and payroll. Our survey shows organisations have well- developed capabilities when it comes to identity and access management, governance and risk management, and information asset management. While we can take heart from these results, it is futile to fortify and defend if supply chain companies and vendors have unrestricted access to business-critical systems.

    Your duties as a company director

    Company directors have an obligation to act with reasonable care and diligence in relation to their duties. This duty cannot be outsourced to a third party — even if services can.

    It is incumbent on directors to ensure their organisation’s risk management framework adequately addresses cybersecurity risk and that controls are implemented to protect key assets and enhance cyber resilience.

    This requires dedicated attention from the top. Boards should have visibility of third-party risks. Third parties should be willing to provide information about their own cybersecurity protocols. If they are not, company directors need to be asking why.

    Know who has the keys to your kingdom. Companies should conduct due diligence before engaging third parties and regularly review their access to systems. As the corporate regulator, ASIC will consider enforcement action where an organisation has not met its cyber risk management obligations. We do this to send a clear message to every company director that when it comes to the cyber resilience of your organisation, the buck starts and stops with you.

    It is encouraging that 95 per cent of Cyber Pulse Survey participants elected to receive an individual report with insights on how their cyber maturity compared to their industry peers. This demonstrates a commitment to improvement.

    But companies also need to go beyond fortifying and defending. The ability to respond and recover from an incident is paramount. It’s not enough to have plans in place. They must be tested regularly — alongside ongoing reassessment of cybersecurity risks, including within the supply chain. You cannot only rely on your fortifications and defences to withstand attacks — you need to prepare for when they are breached. 

    This article first appeared under the headline 'Who has the keys to your kingdom?’ in the December 2023 / January 2024 issue of Company Director magazine.  

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.