Heightened cyber security risk increases regulatory exposure

A recent case in the Australian Federal Court sends a warning to any organisation that isn’t properly managing its cyber risk.

Click image to zoom Tap image to zoom

Corporate regulator the Australian Securities and Investments Commission (ASIC) undertook its first enforcement action in relation to Australian Financial Services (AFS) licensee obligations in the context of cybersecurity. The licensee was found to have contravened the Corporations Act by failing to have adequate ‘controls and documentation’ in place to manage cyber security risks across its authorised representative network. 

"The impact of cyber risk is increasing in severity and every organisation needs to take steps to respond.”

The Federal Court decision is a clarion call to organisations and their boards to ensure risk management systems are equipped to address increased cyber risks as well as an ever-growing regulatory burden. This includes recent changes to the Security of Critical Infrastructure laws, the introduction by ASIC of new market integrity rules and the likely introduction by the Federal Government of new ransomware-specific laws.

Malicious cyber activity is ubiquitous and MinterEllison’s 2022 Cyber Risk Report found a quarter of respondent organisations have been subject to a cyber security incident that compromised their systems or data. Around 90 per cent of respondents had personally received an obvious phishing email or ransomware security threat in the past 12 months.

This suggests two things: there is a significant volume of attempted cyber-attacks; and individuals are becoming more adept at recognising suspicious cyber activity.

While many organisations consider cyber security risk to be a high risk for their organisation there are additional measures organisations can and should take to address the risk. Notably, while 56 per cent of respondents identified cyber as a top five risk, less than half said they have taken steps to assess their cyber security against an established framework.

This gap between cyber risk awareness and action needs to narrow if organisations are to properly manage their exposure. 

Click image to zoom Tap image to zoom

Hot topics

With ransomware attacks more prevalent, the cyber risk landscape is becoming increasingly threatening. 2020-21 saw a 15 per cent increase in ransomware-related cybercrime compared with the previous financial year, as reported in the Australian Cyber Security Centre’s (ACSC) Annual Report. During 2020-21, the ACSC responded to nearly 160 cyber security incidents related to ransomware.

Many organisations interviewed by MinterEllison said they had received additional budget to mitigate a ransomware attack – though few had developed a ransomware-specific playbook to implement should one occur.

Board awareness and education is also a primary concern as the risks escalate and the stakes become higher. New laws impose onerous new regulatory obligations on organisations across many sectors of the economy – particularly financial services organisations. Within that context, board members are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.

On top of these concerns, Australian organisations are finding it difficult to fill specialist cyber security roles. Finding qualified and experienced IT security personnel continues to be a significant challenge, exposing under-resourced organisations to additional risk. Cyber insurance is becoming increasingly difficult to obtain – and is not a panacea.

Technology and information security leaders noted cyber insurance is becoming increasingly more expensive and its coverage more limited – both in terms of the extent of policy exclusions and the lower available limits. Leaders recognise cyber insurance is not (and has never been) a panacea for cyber risk. They must continue to take proactive steps to strengthen their cyber resilience.

Focus and management

In addition to the quantitative survey, MinterEllison spoke with technology and information security leaders across a range of industries to gain a more in-depth, qualitative understanding of the current cyber issues of focus and the measures that they are implementing. They shared lessons for managing cyber risk:

  1. Develop ransomware-specific safeguards and policies.
  2. Conduct regular tests of cyber incident response plans and update those plans as necessary.
  3. Conduct regular and tailored cyber-attack simulation exercises.
  4. Conduct tailored cyber security education programs for the board and executives as well as for employees across the organisation.
  5. Focus on mitigating supply chain risk, including by implementing appropriate technical and organisation controls.
  6. Benchmark the organisation’s cyber security practices against external standards and frameworks.

Join industry groups and networks to keep up to date with current cyber threats and trends.

MinterEllison’s research revealed an increase in the percentage of respondent organisations who say they are regularly testing their cyber security plans. Conversely, 41 per cent of respondent organisations either do not regularly test their cyber security plans or are not sure whether they do so.

All organisations should continue to prioritise cyber security and implement a regular testing program of their plans and processes to address a dangerously evolving cyber risk landscape.

Paul Kallenbach is a Partner – Technology and Data at MinterEllison

You can read the full Cyber Risk Report here

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

10 May 2022

Small business: thwarting cyber threats

Paul Presland | General Manager of Small Business Banking, ANZ

Cyber security threats are growing rapidly. Education and resources for small businesses will help avoid financial loss.

01 Apr 2022

Zero trust in business cyber security

Brett Winterford | Chief Security Officer for Asia Pacific at Okta

After years of cyber criminals silently pressuring businesses to pay up, data breach reporting is back on the rise. But this time with a new sting in the tail.