Higher Cyber Risk = Greater Regulatory Exposure

 
Corporate regulator the Australian Securities and Investments Commission (ASIC) undertook its first enforcement action in relation to Australian Financial Services (AFS) licensee obligations in the context of cybersecurity. The licensee was found to have contravened the Corporations Act by failing to have adequate ‘controls and documentation’ in place to manage cyber security risks across its authorised representative network. 

 

“The impact of cyber risk is increasing in severity and every organisation needs to take steps to respond.”

 

The Federal Court decision is a clarion call to organisations and their boards to ensure risk management systems are equipped to address increased cyber risks as well as an ever-growing regulatory burden. This includes recent changes to the Security of Critical Infrastructure laws, the introduction by ASIC of new market integrity rules and the likely introduction by the Federal Government of new ransomware-specific laws.

 

Malicious cyber activity is ubiquitous and MinterEllison’s 2022 Cyber Risk Report found a quarter of respondent organisations have been subject to a cyber security incident that compromised their systems or data. Around 90 per cent of respondents had personally received an obvious phishing email or ransomware security threat in the past 12 months. This suggests two things: there is a significant volume of attempted cyber-attacks; and individuals are becoming more adept at recognising suspicious cyber activity. 

 

While many organisations consider cyber security risk to be a high risk for their organisation there are additional measures organisations can and should take to address the risk. Notably, while 56 per cent of respondents identified cyber as a top five risk, less than half said they have taken steps to assess their cyber security against an established framework. This gap between cyber risk awareness and action needs to narrow if organisations are to properly manage their exposure. 

 

 

Kallenbach_chart.png

 

Hot topics

With ransomware attacks more prevalent, the cyber risk landscape is becoming increasingly threatening. 2020-21 saw a 15 per cent increase in ransomware-related cybercrime compared with the previous financial year, as reported in the Australian Cyber Security Centre’s (ACSC) Annual Report

 

During 2020-21, the ACSC responded to nearly 160 cyber security incidents related to ransomware.

Many organisations interviewed by MinterEllison said they had received additional budget to mitigate a ransomware attack – though few had developed a ransomware-specific playbook to implement should one occur.

 

Board awareness and education is also a primary concern as the risks escalate and the stakes become higher. New laws impose onerous new regulatory obligations on organisations across many sectors of the economy – particularly financial services organisations. Within that context, board members are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.

 

On top of these concerns, Australian organisations are finding it difficult to fill specialist cyber security roles. Finding qualified and experienced IT security personnel continues to be a significant challenge, exposing under-resourced organisations to additional risk. Cyber insurance is becoming increasingly difficult to obtain – and is not a panacea.

 

Technology and information security leaders noted cyber insurance is becoming increasingly more expensive and its coverage more limited – both in terms of the extent of policy exclusions and the lower available limits. Leaders recognise cyber insurance is not (and has never been) a panacea for cyber risk. They must continue to take proactive steps to strengthen their cyber resilience.

 

Focus and management

In addition to the quantitative survey, MinterEllison spoke with technology and information security leaders across a range of industries to gain a more in-depth, qualitative understanding of the current cyber issues of focus and the measures that they are implementing. They shared lessons for managing cyber risk:

  1. Develop ransomware-specific safeguards and policies.
  2. Conduct regular tests of cyber incident response plans and update those plans as necessary.
  3. Conduct regular and tailored cyber-attack simulation exercises.
  4. Conduct tailored cyber security education programs for the board and executives as well as for employees across the organisation.
  5. Focus on mitigating supply chain risk, including by implementing appropriate technical and organisation controls.
  6. Benchmark the organisation’s cyber security practices against external standards and frameworks.
  7. Join industry groups and networks to keep up to date with current cyber threats and trends.

 

MinterEllison’s research revealed an increase in the percentage of respondent organisations who say they are regularly testing their cyber security plans. Conversely, 41 per cent of respondent organisations either do not regularly test their cyber security plans or are not sure whether they do so. All organisations should continue to prioritise cyber security and implement a regular testing program of their plans and processes to address a dangerously evolving cyber risk landscape.

 

 

27 Jun 2022 Paul Kallenbach is a Partner – Technology and Data at MinterEllison

 

Explore the Blog

Subscribe to our newsletter!

Testimonials