Tuesday, May 31, 2022

Return to listings

Failure to ‘adequately’ manage cyber risks puts corporate Australia on notice

Globally, we are witnessing the most threatening cyber environment to date, with a record number of ransomware attacks and increasingly sophisticated malware with some of the highest levels of nation-state involvement. In response, strict information security governance standards, tightening legal and regulatory requirements, and a flurry of cyber event-driven shareholder derivative and securities class action litigation have made cyber resilience a critical priority for corporate Australia.

Coupled with this, the recent landmark Federal Court decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd has established that failing to manage cyber risks is a breach of financial services.

 

 

Until now, ASIC had not exercised its enforcement powers in a company's failure to have adequate cyber security and resilience risk management controls in place. This event could signal the beginning of ASIC pursuing action against AFSL holders that fail to address cyber security risk management deficiencies. It is possible the Australian Prudential Regulation Authority (APRA) and Office of the Australian Information Commissioner (OAIC) will follow suit, given the heightened threat of cyber-attacks and previous regulator intervention, such as the Critical Infrastructure Bill.

 

Implications for Directors & Officers

Directors and Officers have a fiduciary duty to act in good faith with a duty of care. This duty also extends to the protection of data, IT networks, and systems. Directors and Officers must establish a cyber-governance framework that enables them to meet their fiduciary duties, protect digital assets, ensuring cyber-security compliance requirements are met to avoid litigation.

Directors and Officers are not expected to understand the technical ins and outs of cyber-attacks or the finer details of their company’s IT systems and hardware. However, they must know how to govern privacy and cyber-security risks. Here are three key areas to consider:

1.        Know the threat environment

Having a clear understanding of the business’s threat environment helps boards and executives comprehend the cyber risks and their potential impact.

·        Understand the types of cyber-attacks being conducted and those likely to be targeted at the company.

·        Identify internal operations that increase cyber risks and external factors that need to be considered in your cyber risk management. Failure to focus on this area may have a similar result to that of RI Advice, leaving the question of ‘adequacy’ to the courts.

·        Directors and Officers must know the possible impact of compliance risks (i.e., financial penalties, reputational harm, lost revenue, and possible restrictions that reduce market share).

 

2.       Uphold strong privacy and cyber-security compliance standards

·        You can read more about this in our 5 essentials in cyber security article.

 

3.       Exercise key elements of a cyber-security program

·        The Australian Cyber Security Centre’s Essential Eight Maturity Model is an effective strategy for minimising cyber threats.

 

A business’s Risk Manager plays a pivotal role in ensuring the company’s risk strategy and insurance coverage also appropriately addresses cyber risks.  

 

WITH YOU ALL THE WAY

Boards and senior executives should carefully review the adequacy of their organisation’s cyber security controls and preparedness for an attack. Please reach out to your Honan broker to find out about our Cyber Scenario Testing - in partnership with Clyde & Co. You can discover more about cyber security and insurance in our Cyber Capability Statement.

 

Ben Robinson

Placement Manager - Professional & Executive Risks

benjamin.robinson@honan.com.au

Return to listings