Navigating the regulatory landscape - ASIC’s cyber security mandates for boards

In today’s digital era, where cybercrimes and data breaches are an ever-present risk, organisations must adapt to ensure robust cyber security measures.

As cyber criminals grow increasingly sophisticated, the Australian Securities and Investments Commission (ASIC) has intensified its scrutiny of organisations, urging boards to fortify their defences against cyber threats or face regulatory consequences.

Recent statements by ASIC Chairman Joe Longo signalled a crackdown on organisations lacking adequate cyber security preparedness, following the results of ASIC’s 2023 pulse survey, which highlighted significant gaps in corporate Australia’s cyber security.

Understanding the risks

As businesses navigate the complex cyber security landscape, it is crucial they grasp the multifaceted nature of cyber threats. Recent incidents, such as the credential stuffing incident that engulfed popular Australian online retailer The Iconic, are a stark reminder of the insidious nature of cyber threats, even in circumstances where the organisation did not suffer a data breach.

As part of BDO’s latest Scams Culture Report, we highlighted the low cost of obtaining cyber criminals' assistance to hack an organisation’s LinkedIn company profile—as low as AUD $17 on the dark web. Incidents such as these underscore the need for organisations to fortify their defences against such nefarious activities.

Third-party risks are also often overlooked and pose a significant threat, as evidenced by the growing trend of cyber criminals targeting supply chains and business partnerships. Boards must recognise the constantly evolving threat landscape and take proactive measures to mitigate risks effectively.

Whilst much attention is devoted to internal IT security, overlooking risks posed by third-party suppliers or business partners can be catastrophic for organisations. To effectively manage these risks, organisations must conduct comprehensive risk assessments and integrate third-party risk management into their overall cyber resilience strategy, ensuring a holistic approach to cyber security encompassing every link in their supply chain.

Protecting your environment

In the digital age, adopting comprehensive protection strategies is pivotal for enhancing cyber resilience and safeguarding against the evolving landscape of cyber threats. Organisations must critically assess their need to store sensitive data, like credit card information, and only retain it when absolutely necessary while applying robust security measures for any data kept.

Implementing multi-factor authentication significantly enhances security, adding an essential layer of protection beyond just passwords. Regularly updating systems with the latest security patches is crucial to defend against new vulnerabilities. Additionally, ensuring every team member is prepared and informed and equipping staff with comprehensive awareness training on cyber security practices is vital to fortify the organisation's defence against cyber threats.

Incident Response Planning

Managing the impact of cyber risk is equally as important as implementing protection strategies, highlighting the need for organisations to have comprehensive incident response plans. The increasing frequency and sophistication of cyber-attacks underscore the critical need for well-defined plans that offer clear procedural guidance for addressing and responding to incidents at both technical and non-technical levels.

These plans should include guidance and instructions for communicating effectively with staff and customers during a cyber incident, ensuring transparency and maintaining trust. Educating teams on their roles within the incident response framework and conducting regular drills to follow the plan in simulated scenarios are essential to prepare for real-world breaches.

Additionally, rehearsing the incident response plan through regular testing is crucial for assessing its effectiveness and making necessary adjustments. This approach helps manage the immediate fallout from cyber incidents and strengthens an organisation's resilience against future threats.

What do Directors and Boards need to know?

Cyber resilience has emerged as the cornerstone of organisational preparedness, encompassing the capacity to anticipate, respond to, and recover from cyber incidents. Despite this, many businesses still need to pay more attention to the broader risk landscape encompassing processes and personnel when considering security requirements.

ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk and that controls are implemented to protect critical assets and enhance cyber resilience. They warn that failure to do so could cause directors to fall foul of their regulatory obligations.

Boards and Directors are pivotal in steering their organisations towards cyber resilience. They must spearhead efforts to implement and continually evaluate robust cyber security controls, educate employees on best practices, and develop incident response protocols. Collaboration with external cyber security specialists can alleviate the burden, offering expertise and insights to enhance cyber resilience.

To meet ASIC's cyber security expectations, the entire executive team needs to be cyber-aware. Boards must grasp regulatory requirements, implement adequate controls, and continually reassess their cyber security posture. Organisations must strive to enhance their cyber security maturity within recognised frameworks through internal initiatives and external partnerships.

ASIC emphasises the imperative of resilience, stressing the need for proactive measures and regular testing to mitigate cyber risks effectively. An effective cyber security strategy aligned with governance and risk frameworks ensures that organisations can confidently navigate the evolving cyber threat landscape.

As businesses confront the ever-changing cyber threat landscape, prioritising cyber resilience is paramount. By embracing ASIC's cyber security mandates and fostering a culture of vigilance, boards can safeguard their organisations against cyber threats and future-proof their operations.

Contact us

Our team of Cyber Security experts have the range and depth of experience to support your business – whatever your goals may be. For more information on cyber security mandates, reach out to our Cyber Security team.