By Greg Yanco, Executive Director, Markets
Listed businesses must be ready to respond when their operations are threatened by online criminals, writes ob体育 Executive Director of Markets, Greg Yanco
Earlier this year, the World Economic Forum released its annual Global Risks Report 2022. Failure of cyber security measures was the number one risk for Australian executives, even before Russia鈥檚 invasion of Ukraine and the resultant increase in global instability.
Shortly after, the Australian Cyber Security Centre (ACSC) issued an alert recommending all local organisations adopt an enhanced cyber security position. Currently there are no specific or credible threats to Australian organisations, but that could change. As such, ob体育 strongly encourages listed entities to act on the ACSC鈥檚 advice and improve cyber resilience.
ob体育鈥檚 December 2021 resilience report showed firms operating in Australia鈥檚 markets had a small but steady improvement in cyber resilience. However, the increase of 1.4% fell far short of the 14.9% improvement targeted for the period.
This shortfall was in part attributable to pandemic-related disruptions. As we approach the end of the 2021/22 financial year, and against the backdrop of a heightened cyber threat environment, companies should review their cyber resilience settings and take appropriate actions.
We encourage regulated entities to re-assess their cyber risks and ensure their detection, mitigation and response measures adequately address their risk appetite. They should also assess their preparedness to respond to cyber security incidents, and to review incident response and business continuity plans.
ob体育 is not seeking to prescribe technical standards or to provide expert guidance on cyber security. Where we consider a firm has not met its cyber risk management obligations, we may consider enforcement action to drive changes in behaviour. This is illustrated by ob体育鈥檚 proceedings against RI Advice Group. We argued it failed to have adequate policies, systems and resources in place to appropriately manage risk relating to cyber resilience.
Risk mitigation and reporting
Cyber resilience is the ability to prepare for, respond to and recover from a cyber incident. Resilience is more than just preventing or responding to an attack. It takes into account the ability to adapt and recover from such an event.
The dynamic nature of the cyber-threat landscape means entities should embed a comprehensive and long-term commitment to cyber awareness and resilience within their company culture. This may include regular and ongoing delivery of cyber-related training and awareness and education messages to staff.
These initiatives should go hand-in-hand with threat-response planning, examining the firm鈥檚 reliance on all third-party providers, and the potential impact of breaches to those providers鈥� controls.
Boards and senior management should continue paying close attention to their entity鈥檚 overall risk exposure.
This includes meeting cyber security鈥搑elated regulatory obligations such as reporting breaches to ob体育, ACSC or the Office of the Australian Information Commissioner as required. Where necessary, they should also pay close consideration to disclosure requirements to the market, as well as in financial reporting.
Guidance and resources
ob体育 has published a good practice guidance听and听key questions for boards to ask about cyber-risk management. We also have a number of resources to help companies improve their cyber resilience. For more information visit www.asic.gov.au/cyber-resilience.
Company auditors can also refer to guidelines produced by the Auditing and Assurance Standards Board (AUASB) bulletin, , on the AUASB website.
This article was first published in ASX鈥檚 Listed@ASX magazine in June 2022.
听