Ahead of the release of the federal government’s 2023-2030 Australian Cyber Security Strategy, ASIC chair Joe Longo has warned that directors can face potential enforcement action by ASIC if they do not act with reasonable care and diligence on cyber security. He told a recent cyber conference in Sydney that for all boards, cyber security and cyber resilience need to be top priorities. Andy Penn AO, chair of the federal government's Cyber Industry Advisory Committee and former CEO of Telstra, also outlined at the conference what practical steps directors and boards can take to protect their companies and customers.
Cyber security and resilience are not merely technical matters on the fringes of directors’ duties, ASIC chair Joe Longo told the recent AFR Cyber Summit.
“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could mean failing to meet your regulatory obligations.”
For all boards, cyber security and cyber resilience have to be top priorities, he told the conference. "If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC, based on the directors not acting with reasonable care and diligence.”
Measures taken by boards and directors should be proportional to the nature, scale and complexity of their organisations – and the sensitivity of key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.
Longo said ASIC also expects this board focus to include oversight of risk in digital supply chains, including taking an active role in evaluating third-party cyber risk.
Mr Longo added there is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. He said it’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks, including within the supply chain.
What boards can do
Meanwhile, Mr Penn outlined four key priorities for directors to assist in building cyber resilience.
Boards should know what data they hold, have an inventory of their IT systems and a plan to upgrade their systems, he told the summit. And they should have a response plan to manage the fallout of a breach and know how to repair their systems if they are hacked, he said.
“I think there are really practical things that boards can do. These include an inventory of all systems and endpoints in a large, complex organization and a framework of protection which can identify and subjectively assess what level of cyber security maturity is required. “That's a very useful tool.”
Similarly, an inventory of all data sets is required to identify what data is held, and where is it held, in addition to a responsive recovery plan. “It's those types of practical things ultimately that I think boards and companies and executives need.”
Directors and senior executives need to know what to do to discharge their responsibilities and take reasonable steps to mitigate the risk, if there is a significant cyber attack and customer data gets breached, he said.
Regulators are looking at cyber security and the conduct of boards through a risk lens, he said. “That's something that as directors and as company officials, we need to be very cognisant of, if we're running a company that's involved in providing critical infrastructure to the nation. One would expect us at board level to be thinking about cyber security very clearly.”
He added that section 180 of the Corporations Act, which sets out directors duties, doesn't actually specifically mention cyber security, but that director obligations are implicit, whether in corporations law, or consumer law in relation to cyber security settings and the provision of digital products and services.
“One of the things that I hear from businesses and corporates is they want a little bit of help and guidance as to what constitutes taking reasonable steps. What sort of frameworks can we look to? …It's about how do I know that I've taken reasonable steps to protect the company and particularly to protect our customers against malicious cyber activity…?”
AICD approach
As foreshadowed by the Federal Minister for Cyber Security and Home Affairs Clare O’Neil at the AFR Cyber Summit, the government will shortly release the 2023-30 National Cyber Security Strategy. The strategy has been developed by an expert advisory board comprising Air Marshal (ret’d) Mel Hupfeld AO DSC, Andy Penn AO, and Rachael Falk MAICD, CEO of the Cyber Security Cooperative Research Centre. The objective of the strategy is to make Australia “the world’s most cyber-secure nation” by 2030.
AICD provided a detailed submission to the consultation on the strategy’s development. The submission included AICD commissioned research by King & Wood Mallesons on comparable international jurisdictions' cyber security regulatory settings.
The AICD was pleased to host the minister and the expert advisory board at a director roundtable in our Melbourne office in late April this year, to discuss the governance of cyber security. They were joined by directors from across the listed, financial services and not-for-profit sectors.
Strong support for a united “team Australia” approach — one that both supports Australian organisations and boosts our national resilience — was a key theme of the roundtable.
The roundtable also acknowledged the role of the joint AICD Cyber Security Cooperative Research Centre Cyber Security Governance Principles in guiding boards of all organisations on good practice.
Our submission covered key consultation issues relating to cyber governance. These included whether company directors should have a new and specific duty to address cybersecurity risks (in addition to current duties); whether ransomware payments by organisations should be made illegal and the options for strengthening cybersecurity legislation and regulatory regimes.
On specific cyber duties for Australian directors, our view is that Australia’s comprehensive legal framework (obliging directors to effectively oversee cyber risk and resilience), along with separate regulatory and reputational incentives, already provides a strong regulatory framework to focus directors on cyber security. Australia’s general directors’ duties of care, diligence and acting in the best interests of the organisation provide a sound legal framework for high standards of cyber governance.
The AICD also offers a short course, The Board’s Role in Cyber, in a four-week virtual format to help experienced board directors prepare robust strategies on cyber resilience.
Latest news
Already a member?
Login to view this content