ASIC sets out basic practices for companies to manage cyber security – Security

Spread the love



To print this article, all you need is to be registered or login on Mondaq.com.

On 13 November 2023, ASIC released Report 776,
‘Spotlight on Cyber: Findings and insights from the Cyber Pulse
Survey 2023’
. The Report summarises trends and findings
from the cyber pulse survey and identifies areas for improvement,
highlighting practical examples of better practices for
organisations to adopt.

The Report comes as the Commonwealth Government releases its
national Cyber Security Strategy for 2023-2030 this week. Amongst
other things, the Strategy outlines the Government’s plans to
introduce a “playbook” for businesses affected by
ransomware attacks, a reporting scheme for cyber attacks and
opportunities for small and medium sized businesses to undertake
cybersecurity “health checks”. The Strategy seeks to
improve cyber security, manage cyber risks and better support
citizens and Australian businesses to manage the cyber environment
around them. The strategy also shifts cyber from a technical topic
to whole-of-nation endeavour, focusing on providing better support
to civilians and industry. So while the strategy will support
businesses, they need to make their own individual contribution to
cyber protection.

In providing guidelines for better cyber practices, the Report
distinguishes between all organisations and smaller organisations.
In this way, guidance is provided at a general level and at a
scaled back level for organisations with fewer resources. The
implications of this are that the guidelines for organisations with
fewer resources will form a “baseline” standard for all
other businesses. Businesses can expect ASIC will take the baseline
standard into account when taking regulatory action in the
future.

Examples of the ASIC recommendations include:

  • conducting third party risk assessments and due diligence

  • establishing clear contractual obligations with third
    parties

  • proactively identifying critical business services and
    dependencies and mapping information flows

  • establishing encryption practices for high-risk confidential
    information and enhancing email security.

Usefully, the Report also lists various practical examples of
“red flags” for companies. This Report is not one for
just a technology literate audience, but for an organisation’s
entire leadership team to read and consider. The Report is only 31
pages and is worth reading by both senior leadership teams and
boards. It sets out ASIC’s clear expectations around minimum
standards and provides practical guidance as to how organisations
can meet those standards. The examples in the Report could be used
to undertake an overview of an organisation’s current cyber
risk position.

This Report continues to build on ASIC’s regulatory
expansion into cyber as a risk that companies need to proactively
manage.

In 2020, ASIC initiated action against financial services
licence holder, RI Advice, for failing to implement adequate cyber
security protections. A Federal Court ruling in 2022 confirmed the
company had breached its licence conditions by failing to meet its
cyber security obligations. At that time, commentators predicted
this was only the beginning of ASIC’s foray into cyber security
regulation.

This Report throws down the gauntlet, making it very clear what
ASIC’s minimum standards are. Organisations that fail to
respond to known red flags and fail to take steps which ASIC
recommends for large and small organisations can expect regulatory
action in the event of a cyber security breach.

Potential customer claims

Importantly, this Report comes hot on the heels of the Optus
outage on 8 November and the statement made by Optus to the Senate
Estimates Committee in relation to the breach and potential
compensation. That risk of customers seeking compensation where a
sustained interruption to a service that is critical to them, is
now fairly and squarely one that all organisations need to
consider.

We can help you manage your cyber security obligations in
accordance with the ASIC recommendations, the national Cyber
Security Strategy and constantly emerging regulations. Get in touch
with a member of our team below for further details.

This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader’s
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
individuals listed.



Source link