In the midst of increasing concern about cyber risks in the digital age and the impact on business, on 19 March 2015 ASIC published its Report 429 ‘Cyber resilience: Health check’. In doing so, ASIC has provided helpful guidance to businesses in bolstering their own cyber resilience, but has also upped the ante in highlighting cyber risk management as a potential matter of regulatory compliance.
Cyber resilience and the cyber risk landscape
ASIC defines cyber resilience as “the ability to prepare for, respond to and recover from a cyber attack“. The Report emphasises the importance of cyber resilience in protecting the integrity of global markets and supporting consumer trust and confidence.
In 2013, ASIC notes that cyber attacks affected 5 million Australians at an estimated cost of $1.06 billion. The Report describes the impact on the cyber risk landscape of the increased use of mobile technologies and social media, the “Internet of Things”, cloud computing services and electronic payment methods.
A cyber risk “health check”
The Report outlines various ‘health check prompts’ comprising a table of questions to assist companies in considering the extent of their cyber resilience.
ASIC also outlines a number of suggested measures to improve the cyber resilience of a business. These include encouraging businesses to:
- Apply the United States’ NIST (National Institute of Standards and Technology) Cybersecurity Framework, which has been adopted by participants in financial services and markets in the united States;
- Work in conjunction with (including reporting cybersecurity incidents to) relevant Australian agencies such as ACORN (Australian Cybercrime Online Reporting Network) for small to medium Businesses and CERT Australia (Computer Emergency Response Team) for large businesses;
- Implement the Australian Signal Directorate’s “Strategies to mitigate targeted cyber intrusions“; and
- Consider the purchase of cyber insurance liability cover which ASIC notes may be an appropriate business decision based on a company’s risk profile.
Cyber risk and regulatory compliance
ASIC appears to be of the view that cyber resilience is more than just a matter of good practice. Thus, the Report provides an overview of some of the existing legal and compliance requirements for companies which may positively require steps to be taken with respect to cyber risk, including risk management and disclosure requirements.
ASIC also highlights the responsibility of the board of directors and senior management in being aware, and having oversight, of cyber risks, emphasizing the duties placed on directors by the Corporations Act.
As to disclosure requirements, ASIC notes a number of potential obligations which may require disclosure or notification of cyber risks or a cyber incident, including:
- The obligations of AFS licensees to report to ASIC significant breaches of the obligation to have adequate risk management systems;
- The continuous disclosure obligations of listed entities to disclose market-sensitive information to the market, with ASIC suggesting this might include a cyber attack;
- The requirement to give disclosure in a prospectus of significant factors to be relied upon by a potential investor; and
- The obligations for entities regulated by the Privacy Act 1988 (Cth) (Privacy Act) including the Privacy Commissioner’s “Data breach notification guide: a guide to handling personal information security breaches” (and noting the recent announcement to introduce a mandatory data breach notification scheme by the end of 2015).
Cyber risk and regulatory oversight
In terms of regulatory oversight, cyber attacks affecting Australian businesses have, in recent years, been primarily a focus of the Privacy Commissioner given the potential impact of a data breach on personal information regulated by the Privacy Act.
What the ASIC Report makes clear, however, is that the impact of a cyber incident can extend well beyond just an interference with personal information. The ASIC Report highlights other impacts such as:
- The systemic risk for the financial system as a whole;
- The impact on security exchanges which could affect market integrity and the fair, efficient and orderly operation of the market; and
- The disruption to the continuity of essential services to the community such as banks providing payments or access to funds.
By issuing the Report, ASIC has clearly signalled that it is now taking a more active interest in cyber risk management. ASIC goes so far as to say that it expects those under its regulatory scrutiny, particularly licensees, to address cyber risks as part of their legal and compliance obligations.
Implications
ASIC has made clear that it regards cyber resilience as being more than just a matter of good practice but as being a matter of compliance with specific legal obligations.
Businesses and boards of directors thus need to be on their guard and have cyber risk management as a key plank of their legal compliance going forward.
This article was written by Andrew Miers, Partner, Bill Singleton, Partner and Hayden Fielder, Graduate-at-Law.