AFR Cyber Summit: ASIC to target boards that do not have cyber security systems in place

Cyber security is a key issue for boards and all companies and it continues to have a profound impact on the Australian business landscape. This week, our Digital Governance team attended the AFR Cyber Summit to hear how the Australian Government and ASIC are addressing some of the critical issues surrounding cyber security and how boards and companies can protect their business and deal with a cyber attack. 

The speakers at the summit included The Hon. Clare O’Neil Minister for Home Affairs and Cyber Security, Air Marshal Darren Goldie National Cyber Security Coordinator, ASIC Chair Joe Longo and several chief information security officers for Australian businesses.

Below are some of the messages given by these speakers and the key themes discussed in Q&A sessions throughout the day: 

Cyber security is a board-level concern

The Home Affairs and Cyber Security Minster Clare O’Neil and ASIC Chair Joe Longo said that cyber security is a top-level issue for boards. How small business deals with the issue is a concern for the government.

All speakers made it clear that boards should be looking at their business's overarching cyber security resilience and posture, and their breach response plans and capabilities. A cyber security response plan is not static, it must be continuously reviewed and evolved.

A cyber breach is inevitable

The speakers recognised that a cyber breach is not a matter of if it will occur, it’s a matter of when it will occur. Every system is vulnerable. 

Businesses should:

• Think of cyber security preparedness as a system. Consider your framework, the dollars, and education and set your risk posture. Be agile.

• Have capital expenditure set aside to ensure they can plan, prepare, respond, and review the threats.

• Have a data breach response plan.

• Consider protecting their business's 'crown jewels' that are essential to operating.

• Rethink their approach to data retention - be gone the idea that data is the new oil and retention is always good.

Security framework plans

The Commonwealth Government does not intend to build a "boutique" Australian security framework, as the government wants to work with global partners and allow Australian businesses to export its technology.

Third party suppliers as a primary security risk

It is recognised that larger businesses spend significant amounts of time auditing third party suppliers in order to onboard them securely. There should be an effort to standardise such audits and checks.

The ASIC Chair repeatedly identified third party suppliers as the primary cyber risk for businesses and said “You can only protect yourself if you act now…evaluate third party security risk and recent events show that if you don’t you will suffer for it". 

Emphasising threat sharing

The government and larger businesses (including well known vendors) are looking for 'threat sharing', not 'intelligence sharing'. Threat sharing will build group resilience.

Cyber shields rings of defence

The Minister unveiled the six cyber shields working as rings of defence: 

• At its core, start at home with a strong business and citizens.

• Then safe technology itself (see further below for safe tech products).

• World class threat sharing and blocking.

• Protected critical infrastructure.

• Sovereign capabilities.

• Resilient region. 

The Minister also said, “At this point in time, we don’t have the resources to outright ban the payment of ransomware payments”.

'Digital Safe' products

It was identified that the rapid digitisation of physical assets and 'the internet of things' has increased the threat profile for consumers. Australians now have internet connected devices littered throughout their lives - their fridge, coffee machines, washing machines, cars, smart tvs, phones, and computers all collect data. Australians need to learn how to live within the cyber landscape as if cyber awareness is a life skill akin to crossing the road. 

There will be a focus on security in technology products or 'digital safe' products. The example was given that if you were to buy a baby seat for your car, you know it has been built to an accepted standard required by decades of improvement, however, there is no obligation in technology to be 'digitally safe' ensuring the security of that technology meets a reasonable standard (for example baby monitors and home security cameras do not have any 'safe' security standards, and if connected to the internet can be readily hacked).

This is an interesting development as it is foreseeable that 'digital safe' could be developed to the point that the product safety and manufacturer liability laws existing within the Competition and Consumer Act 2010 (Cth) could potentially be used to ensure better technology product security outcomes. 

Individual responsibility 

Cyber security needs to become a life skill for all Australians, but it can’t happen overnight. 

The biggest threat remains the three feet between the office chair and the keyboard - the human error. There will always be cyber threats, but the way they become problems is when employees are not educated on the risks of phishing or known cyber vulnerabilities, or when the threat uses AI that is too good not to deceive.

AI is also making emails and SMS phishing much more sophisticated. With this, the key is 'threat blocking'.

The parties best placed to protect their personal information are individual Australians. Hence reporting a breach is critical as it gives the individual the opportunity to change passwords, close accounts, and be issued with replacement documents or products.

Insights and commentary from ASIC Chair, Joe Longo

• Cyber security is a foreseeable risk of harm to a company. A failure to act on the issue places the director at risk of being in breach of his or her duties.
• ASIC wants businesses to understand that every system is vulnerable and reliance on a third party does not eliminate or minimise that risk, in fact, data tells us that a third party is the biggest risk to your business. Good cyber management starts at the top, there cannot be a disconnect between the board and those managing the risk. What is accepted by ASIC as being reasonable preparedness will be an assessment of whether the cyber response is proportional to the business.
• The ASIC Chair said that businesses should take three approaches:
  • Never set and forget, "there is no vaccination" for cyber security - your cyber response and systems must evolve and be active; a business cannot set and forget their security (“no vaccination”), and says “act now”, then ties a lack of activity, planning and ongoing management as a potential breach of directors duties (duty to act with reasonable care).
  • Plan and test for attacks, it is not if but when. The board should ask itself how they will communicate when things go wrong? The incident response plan must include how to deal with third party vendors.
  • You cannot protect what you cannot identify or are not aware of - you must identify all of your systems and data so that you can plan how to protect them. 
•  Other comments from the ASIC Chair:

  •  "Good cyber risk management must start at the top."

  • "Cyber risk management framework must adequately cover risk. Failure to do so could be in breach of directors duty of reasonable care."

  • Effectively, boards cannot rely solely on third parties to provide a solution. Those third party suppliers should also be considered a security risk.

• The government (particularly the ACSC) is looking for better reporting of incidents and 'threat sharing' for better group learning, responses and resilience. However, there is a natural tension between this and the risk that boards face with stakeholder claims, especially class actions. It was reported that only 27% of cyber breaches are reported, yet without 'safe harbour' provisions for attacked businesses, it is likely that reporting will not improve.

• Third party suppliers are a primary risk to business. The recent Frontier and Dymocks breaches were not to their systems but to the third parties.

• Even if your business is not targeted by ASIC, cybersecurity is undoubtedly a governance issue that, if something goes wrong, boards should be in a position where they can show the reasonable steps they took to prepare and manage. Otherwise, affected stakeholders will allege breaches of duties and obligations. And regulators and courts will have a less sympathetic lens for those boards that do not act.

What can companies and boards do to safeguard their business from a cyber attack?

• Andy Penn, Chair of the Cyber Security Industry Advisory Committee said that cyber is a "whole of board" issue, it should not be left to a single board member to manage. Boards must understand conceptual risks, including asking the right questions such as, "Where are my data sets?" and "Are my end points protected", and be willing to invest. 

• Andy Penn and Joe Longo (separately) discussed that boards must take reasonable steps to mitigate the risk, practical and proportionate to your business. Look at the circumstances of the business. Boards must demonstrate the viability of your plans, otherwise, they could be in breach. It is time to view cyber risk as any other risk in the business such as OHS or similar.

• Take inventory - know what data sets you have and where. If you were told as a new incoming CEO that you have 20 warehouses around the world you would ask what is in each warehouse (diamonds, illegal arms, or office supplies?) and arrange security accordingly. You cannot protect what you don’t know. 

•  Identify your data sets, weak points, and risks. Make hard decisions. Ringfence your data. Avoid complexity and look for security by design and "radical simplicity", as attackers exploit complexities, misconfigurations, mis-patches, no patches, land ack of decision making.

• Ongoing patches are key for continually improving security however, too often, legacy systems cannot be patched. At some point in time, probably sooner than later, a fresh start or transformation is required.

• Ask about legacy data. Do you want to keep it? Is it appropriately protected?

• Train for attacks, don't go through the motions - make it random, and do not hide from vulnerabilities. Simulate, simulate, simulate!