10 May 2022
A recent case in the Australian Federal Court sends a warning to any organisation that isn’t properly managing its cyber risk.
Corporate regulator the Australian Securities and Investments Commission (ASIC) undertook its first enforcement action in relation to Australian Financial Services (AFS) licensee obligations in the context of cybersecurity. The licensee was found to have contravened the Corporations Act by failing to have adequate ‘controls and documentation’ in place to manage cyber security risks across its authorised representative network.
"The impact of cyber risk is increasing in severity and every organisation needs to take steps to respond.”
The Federal Court decision is a clarion call to organisations and their boards to ensure risk management systems are equipped to address increased cyber risks as well as an ever-growing regulatory burden. This includes recent changes to the Security of Critical Infrastructure laws, the introduction by ASIC of new market integrity rules and the likely introduction by the Federal Government of new ransomware-specific laws.
Malicious cyber activity is ubiquitous and MinterEllison’s 2022 Cyber Risk Report found a quarter of respondent organisations have been subject to a cyber security incident that compromised their systems or data. Around 90 per cent of respondents had personally received an obvious phishing email or ransomware security threat in the past 12 months.
This suggests two things: there is a significant volume of attempted cyber-attacks; and individuals are becoming more adept at recognising suspicious cyber activity.
While many organisations consider cyber security risk to be a high risk for their organisation there are additional measures organisations can and should take to address the risk. Notably, while 56 per cent of respondents identified cyber as a top five risk, less than half said they have taken steps to assess their cyber security against an established framework.
This gap between cyber risk awareness and action needs to narrow if organisations are to properly manage their exposure.
With ransomware attacks more prevalent, the cyber risk landscape is becoming increasingly threatening. 2020-21 saw a 15 per cent increase in ransomware-related cybercrime compared with the previous financial year, as reported in the Australian Cyber Security Centre’s (ACSC) Annual Report. During 2020-21, the ACSC responded to nearly 160 cyber security incidents related to ransomware.
Many organisations interviewed by MinterEllison said they had received additional budget to mitigate a ransomware attack – though few had developed a ransomware-specific playbook to implement should one occur.
Board awareness and education is also a primary concern as the risks escalate and the stakes become higher. New laws impose onerous new regulatory obligations on organisations across many sectors of the economy – particularly financial services organisations. Within that context, board members are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.
On top of these concerns, Australian organisations are finding it difficult to fill specialist cyber security roles. Finding qualified and experienced IT security personnel continues to be a significant challenge, exposing under-resourced organisations to additional risk. Cyber insurance is becoming increasingly difficult to obtain – and is not a panacea.
Technology and information security leaders noted cyber insurance is becoming increasingly more expensive and its coverage more limited – both in terms of the extent of policy exclusions and the lower available limits. Leaders recognise cyber insurance is not (and has never been) a panacea for cyber risk. They must continue to take proactive steps to strengthen their cyber resilience.
Focus and management
In addition to the quantitative survey, MinterEllison spoke with technology and information security leaders across a range of industries to gain a more in-depth, qualitative understanding of the current cyber issues of focus and the measures that they are implementing. They shared lessons for managing cyber risk:
Join industry groups and networks to keep up to date with current cyber threats and trends.
MinterEllison’s research revealed an increase in the percentage of respondent organisations who say they are regularly testing their cyber security plans. Conversely, 41 per cent of respondent organisations either do not regularly test their cyber security plans or are not sure whether they do so.
All organisations should continue to prioritise cyber security and implement a regular testing program of their plans and processes to address a dangerously evolving cyber risk landscape.
Paul Kallenbach is a Partner – Technology and Data at MinterEllison
You can read the full Cyber Risk Report here
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
10 May 2022
01 Apr 2022