Cyber resilience health check
Effective cyber resilience requires leadership and a commitment of resources to develop strategies, including responses to a cyber attack.
Cathie Armour, Commissioner
This article was submitted to the Governance Institute for publication in the Governance Directions magazine in June 2015
There has been a significant growth in the number and severity of global cyber-attacks in the last few years. The annual cost of cyber-attacks to the global economy is estimated at more than $400 billion. ASIC is urging organisations to undertake a 'health check' to assess their risk management practices and test their degree of cyber resilience.
Cyber resilience is an organisation’s ability to prepare for and respond to a cyber-attack and continue operation during, or quickly adapt and recover from, a cyber-attack.
What is the risk?
The risk of cyber-attack may arise from employees and other insiders, corporate espionage, organised crime, hacktivists and in some cases may be state sponsored. It may be for the purpose of identity theft, espionage, network interruption, ransom, fraud, money laundering or a number of other purposes.
The types of risks businesses face, and the efforts that they will need to undertake to ensure their cyber resilience, will depend on the nature, scale and complexity of their businesses.
While the source of risk, the threat posed and an entity's vulnerabilities are limitless and constantly evolving, it is clear that when a cyber-attack does occur it can undermine businesses and impact our economy. There is the risk that investor confidence in the financial system and wider economy will be eroded.
Considering cyber-threats as part of risk framework
Effective cyber resilience requires leadership and a commitment of resources to develop strategies, including responses to a cyber-attack. ASIC encourages company officers to assess their entity's threats and vulnerabilities now, and understand what, where and how its most valuable information is held. This assessment will allow an entity to prioritise resources to mitigate the effect of a potential cyber-attack.
Companies should specifically consider:
- if cyber risks have been incorporated into your governance and risk management practices, and if there are adequate controls and measures for managing those risks, including insurance; and
- how frequently should cyber security policies and procedures be tested, reviewed and updated.
These are matters that should be considered by the board and may impact on continuous and periodic reporting requirements.
Listed entity reporting requirements
Consistent with the ASX Corporate Governance Council's Corporate governance principles and recommendations, listed entities must ensure annual disclosure of material business risks that could adversely affect the achievement of the financial performance or financial outcome described. Depending on the business of an entity, cyber risks and resilience may need to be included in the assessment of material business risks.
For some entities raising capital it will also be appropriate to include disclosure of cyber risks and mitigation strategies to manage those risks in a prospectus. Disclosure of these risks in a prospectus will be required where it is relevant to an investor's decision and is reasonably require to assess the merits of the offer.
Listed entities must immediately disclose ‘market sensitive information’ to the market operator once they become aware of the information. As a result listed entities will need to consider how and when a cyber-attack may require disclosure as ‘market sensitive information’.
Obligations of financial sector entities
Entities in the financial sector licensed by ASIC, have legal obligations including risk management and disclosure requirements that aren't required of other entities. ASIC expects that financial sector entities will address cyber resilience as part of these obligations. The consequence for failing to meet risk management and disclosure obligations may be fines, penalties, enforceable undertakings, licensing conditions, or a license suspension or cancellation. For directors or company officers, it could result disqualification from the financial services industry.
ASIC considers the US developed NIST Framework has particular relevance as a standard to manage cyber resilience for financial service providers operating globally. It is expected to become a de facto global benchmark for financial markets.
The Australian government has established the Computer Emergency Response Team (CERT) which provides free advice and support on cyber threats and cyber vulnerabilities to owners and operators of Australia’s critical infrastructure and other systems of national interest. ASIC encourages major financial institutions and market infrastructure providers to partner with CERT before an incident occurs, and report all cyber security incidents to CERT.
The digital economy provides great opportunity for economic growth. Australians are rapid adopters of technology with 7.5 million Australians accessing the internet via their mobile phones in 2013, an increase of 33% from 2012.  It is important to remember that just as we adapt to the new opportunities provided by the digital economy we must also adapt to new risks.
 Centre for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime—Economic impact of cybercrime II, June 2014, p2.