Navigating the regulatory landscape: ASIC’s cyber security mandates for boards

Tuesday, 02 April 2024

Stan Gallo, Partner, Forensic Services  photo
Stan Gallo, Partner, Forensic Services
and Leon Fouche, BDO’s National Cyber Security Leader

    In today’s digital era, where cybercrimes and data breaches are an ever-present risk, organisations must adapt to ensure robust cyber security measures.

    As cyber criminals grow increasingly sophisticated, the Australian Securities and Investments Commission (ASIC) has intensified its scrutiny of organisations, urging boards to fortify their defences against cyber threats or face regulatory consequences.

    Recent statements by ASIC Chairman Joe Longo signalled a crackdown on organisations lacking adequate cyber security preparedness, following the results of ASIC’s 2023 pulse survey, which highlighted significant gaps in corporate Australia’s cyber security.

    Understanding the risks

    As businesses navigate the complex cyber security landscape, it is crucial they grasp the multifaceted nature of cyber threats. Recent incidents, such as the credential stuffing incident that engulfed popular Australian online retailer The Iconic, are a stark reminder of the insidious nature of cyber threats, even in circumstances where the organisation did not suffer a data breach.

    As part of BDO’s latest Scams Culture Report research, we also highlighted the low cost of gaining the assistance of cyber criminals to hack an organisation’s LinkedIn company profile – as low as AUD $17 on the dark web. Incidents such as these underscore the need for organisations to fortify their defences against such nefarious activities.

    Third-party risks are also often overlooked and pose a significant threat, as evidenced by the growing trend of cyber criminals targeting supply chains and business partnerships. Boards must recognise the constantly evolving threat landscape and take proactive measures to mitigate risks effectively. Whilst much attention is devoted to internal IT security, overlooking risks posed by third-party suppliers or business partners can be catastrophic for organisations. To effectively manage these risks, organisations must conduct comprehensive risk assessments and integrate third-party risk management into their overall cyber resilience strategy, ensuring a holistic approach to cyber security that encompasses every link in their supply chain.

    Protecting your environment

    In the digital age, adopting comprehensive protection strategies is pivotal for enhancing cyber resilience, safeguarding against the evolving landscape of cyber threats. Organisations must critically assess their need to store sensitive data, like credit card information, and only retain it when absolutely necessary, while applying robust security measures for any data kept.

    Implementing multi-factor authentication significantly enhances security, adding an essential layer of protection beyond just passwords. Regularly updating systems with the latest security patches is crucial to defend against new vulnerabilities. Additionally, equipping staff with comprehensive awareness training on cybersecurity practices is vital to fortify the organisation's defence against cyber threats, ensuring every team member is prepared and informed.

    Incident Response Planning

    Managing the impact of cyber risk is equally as important as implementing protection strategies, highlighting the need for organisations to have comprehensive incident response plans. The increasing frequency and sophistication of cyber attacks underscore the critical need for such well-defined plans that offer clear procedural guidance for addressing and responding to incidents at both technical and non-technical levels. These plans should include guidance and instructions for communicating effectively with staff and customers during a cyber incident, ensuring transparency and maintaining trust. Educating teams on their roles within the incident response framework and conducting regular drills to follow the plan in simulated scenarios are essential to prepare for real-world breaches.

    Additionally, rehearsing the incident response plan through regular testing is crucial for assessing its effectiveness and making necessary adjustments. This approach not only helps in managing the immediate fallout from cyber incidents, but also strengthens an organisation's resilience against future threats.

    What do directors and boards need to know?

    Cyber resilience has emerged as the cornerstone of organisational preparedness, encompassing the capacity to anticipate, respond to, and recover from cyber incidents. Despite this, many businesses still neglect the broader risk landscape encompassing processes and personnel when considering security requirements. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk and that controls are implemented to protect key assets and enhance cyber resilience. They warn that failure to do so could cause directors to fall foul of their regulatory obligations.

    Boards and directors are pivotal in steering their organisations towards cyber resilience. They must spearhead efforts to implement and continually evaluate robust cyber security controls, educate employees on best practices and develop incident response protocols. Collaboration with external cyber security specialists can alleviate the burden, offering expertise and insights to enhance cyber resilience.

    The entire executive team needs to be cyber-aware to meet ASIC's cyber security expectations. Boards must grasp regulatory requirements, implement adequate controls and continually reassess their cyber security posture. Organisations must strive to enhance their cyber security maturity within recognised frameworks through internal initiatives and external partnerships.

    ASIC emphasises the imperative of resilience, stressing the need for proactive measures and regular testing to mitigate cyber risks effectively. An effective cyber security strategy aligned with governance and risk frameworks ensures that organisations can confidently navigate the evolving cyber threat landscape.

    As businesses confront the ever-changing cyber threat landscape, prioritising cyber resilience is paramount. By embracing ASIC's cyber security mandates and fostering a culture of vigilance, boards can safeguard their organisations against cyber threats and future-proof their operations.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.