Corporate regulator the Australian Securities and Investments Commission (ASIC) undertook its first enforcement action in relation to Australian Financial Services (AFS) licensee obligations in the context of cybersecurity. The licensee was found to have contravened the Corporations Act by failing to have adequate ‘controls and documentation’ in place to manage cyber security risks across its authorised representative network.
"The impact of cyber risk is increasing in severity and every organisation needs to take steps to respond.”
The Federal Court decision is a clarion call to organisations and their boards to ensure risk management systems are equipped to address increased cyber risks as well as an ever-growing regulatory burden. This includes recent changes to the Security of Critical Infrastructure laws, the introduction by ASIC of new market integrity rules and the likely introduction by the Federal Government of new ransomware-specific laws.
Malicious cyber activity is ubiquitous and MinterEllison’s 2022 Cyber Risk Report found a quarter of respondent organisations have been subject to a cyber security incident that compromised their systems or data. Around 90 per cent of respondents had personally received an obvious phishing email or ransomware security threat in the past 12 months.
This suggests two things: there is a significant volume of attempted cyber-attacks; and individuals are becoming more adept at recognising suspicious cyber activity.
While many organisations consider cyber security risk to be a high risk for their organisation there are additional measures organisations can and should take to address the risk. Notably, while 56 per cent of respondents identified cyber as a top five risk, less than half said they have taken steps to assess their cyber security against an established framework.
This gap between cyber risk awareness and action needs to narrow if organisations are to properly manage their exposure.