Boards’ Oversight Of Cyber Risk - Your Obligation To Be Prepared For Attack

At the September AFR Cyber Summit, ASIC warned board directors that they will seek to make examples of boards who are ill prepared for cyberattacks, by taking legal action against companies who have not taken steps to protect customer data.

ASIC Chair Joe Longo stated:

“Cyber preparedness is not simply a question of having impregnable systems. That’s not possible,” he said. “Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”

Mr Longo also commented:

'In ASIC’s work in this space, we’ve found there’s often a disconnect between several important elements, including:

  • Boards’ oversight of cyber risk,
  • Management reporting of cyber risk to boards,
  • Management identification and remediation of cyber risk,
  • Cyber risk assessments, and
  • How cyber risk controls are implemented'.

Failures to identify and address the risk of ransomware, can make a Director liable under the Corporations Act 2001 (WA).

Reduced Insurance Premiums

Further, good cyber governance by boards will likely result in a reduction in cyber insurance premiums, whereas insurers are increasingly likely to decline policies for clients who show a lack of cyber protection.

Operation Birks

The importance of good cyber security was laid out in the recently in Operation Birks which was led by the Australian Securities and Investment Commission (ASIC) and the Australian Federal Police (AFP). The operation tracked down a major cyber crime ring that was responsible for stealing more than $3.3 million through large-scale online fraud and attempted to steal a further $7.5 million from victims’ superannuation and share accounts.

Interestingly the scheme was brought down by a North Melbourne woman, who placed a new sim card through her phone for each account she hacked. The woman accidentally used one of these sim cards to order kebabs to her home, which was pinged by the AFP.

ASIC Deputy Chair Sarah Court said, “Data breaches within Australia’s financial system are significant threats, with consequences that can affect people’s savings for retirement. Driving good cyber-risk and operational resilience practices in financial services and markets is a continuing priority for ASIC.  Where appropriate, we will act to address digitally-enabled misconduct, including scams.  We encourage all entities to be cyber vigilant and act quickly to protect consumers.”

Lavan Comment

Organisations must continue to upskill their employees and executives to meet cyber compliance obligations. If you require assistance with cyber protection  planning or if you are the subject of a cyber breach, please contact Iain Freeman for assistance on (08) 9288 6000 /

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.