Cybersecurity crackdown: ASIC coming for poorly prepared companies

The aggressive headline in yesterday’s Australian Financial Review – ASIC to target boards, execs for cyber failures – should ring alarm bells for corporate leaders.

In a story published ahead of the newspaper hosting a cyber summit yesterday, ASIC chairman Joe Longo said the corporate regulator will seek to make an example of board directors and executives who are recklessly ill-prepared for cyberattacks.

Mr Longo said ASIC would take legal action against compromised companies that did not take sufficient steps to protect their customers and infrastructure from hackers.

Prior to his keynote address at the AFR’s event, Mr Longo said businesses must be prepared for the ever-rising risk of cybercrime and warned firms against putting too much faith in third-party providers of technology systems and services:

“For all boards, cyber resilience has got to be a top priority.

“If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses.

“I can assure you that in the right case ASIC will commence proceedings if we have reason to believe those steps were not taken.”

Mr Longo’s comments should prompt serious questions for boards and company executives.

If the next questions asked are, ‘Do we have a cybersecurity plan?’ or ‘Is our cyber insurance up to date?’ then ASIC has your organisation in their sights.

‘Reasonable steps’ isn’t clearly defined, nor are the financial or other punishments that may await an organisation if ASIC determines those steps have not been taken.

But the corporate regulator is again making it clear that shifting responsibility and liability for cybersecurity solely to insurance policies or technology solutions is not good enough.

Cyber insurance may be part of a strategic response to a data breach, in that it can help recover some of the costs, but it cannot be the extent of the preparedness or the entire response.

Similarly, technology will be an important factor in defending networks but it will not help an organisation if it has a poor cyber culture or third-party partners are vulnerable.

What ASIC really wants corporate leaders to address are the questions that get to the heart of organisational cyber resilience and agility, in both preparation and response.

Questions like, ‘How do we know that we’re really prepared for a cyber-attack?’, ‘Have we taken reasonable steps to protect the data of people who have shared their information?’ and ‘How would we respond if a data breach shuts down our business?’

These strategies should be documented and defensible.

ASIC is aware of the dangerous cyber environment and it is not looking to bring down businesses that have prepared and tested their response against an attack to the best of their capabilities.

Reasonable steps will be dependent on the size and nature of the organisation – measures taken by a furniture retailer, for example, may be different to that taken by a law firm.

The resources of the organisation is also a major factor. If the furniture retailer is a huge national network with deep resources, it may be examined more critically than a suburban law firm that deals in wills and powers of attorney.

Three key takeaways from Mr Longo’s speech to the summit were:

Never set and forget – plan for and test for cyberattacks.

Corporate leaders cannot know if their technology and strategy works unless it is tested. This takes a certain level of vulnerability because it’s very likely that holes will be found.

Cybersecurity technology is important but it’s not a vaccination. Business environments are fluid, with changing suppliers, new business processes and operational changes.

Without systems and staff being regularly tested, people will not know their actions or responsibilities in a crisis, which will lead to a disastrous response.

Finding those holes allows organisations to address and fix vulnerabilities, and it’s an opportunity for those in critical positions to learn how they could do better.

How would you communicate with customers, regulators and the market when things go wrong?

In a cyberattack, there could be dozens of key stakeholders that need to be contacted – staff, regulators, suppliers and key stakeholders. That’s before a public-facing response is considered.

How would a business learn that it had been hacked in the first instance[CT1] ? Who would make decisions about assessing the threat and activating an incident response team? Is there an incident response team to be activated? At what stages would a board, regulators and other stakeholders be informed?

There is a big difference in preparing a response before time, with roles and responsibilities clear and a detailed communication plan mapped out, and a poor quality plan mapped out on the fly and under pressure.

Any organisation can be breached and systems hacked. Resilient organisations will be prepared and know how to respond quickly to minimise harm.

Nobody guards what they don’t know they have.

Information that isn’t identified before an attack, can’t be protected. Knowing where data is stored allows vulnerabilities to be rectified, and breach risks to be assessed.

In the same way that valuable items are offered greater protection in a home, an organisation must identify the most critical information that it holds so it can prioritise its protection.

This includes supply chains and third-party partnerships – if the most sensitive data is held elsewhere, it is critical to understand how external parties would protect and respond to breaches.

ASIC is looking to make an example of organisations that have ignored cybersecurity and privacy threat in the misguided belief that they won’t be breached.

But Mr Longo’s words should be addressed as an opportunity rather than a threat – a chance to look more closely at vulnerabilities and address before an inevitable attack or privacy breach.

“(Impregnable security systems) not possible,” he told the AFR.

“While preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cybersecurity incident.”