ASIC has called on listed businesses to re-assess cyber risks and make a “long-term” commitment to cyber awareness.
Just over a month after the Federal Court found that local firm RI Advice breached its licence obligations by failing to have adequate risk management systems to manage its cyber security risks in a landmark ruling, Greg Yanco – executive director, Markets at ASIC – said businesses must be ready to respond to online threats.
“We encourage regulated entities to re-assess their cyber risks and ensure their detection, mitigation and response measures adequately address their risk appetite. They should also assess their preparedness to respond to cyber security incidents, and to review incident response and business continuity plans,” Mr Yanco said.
“ASIC is not seeking to prescribe technical standards or to provide expert guidance on cyber security. Where we consider a firm has not met its cyber risk management obligations, we may consider enforcement action to drive changes in behaviour.”
Mr Yanco added that businesses must not only be ready to respond to a cyber threat, but also to be in a position to recover from it.
“The dynamic nature of the cyber threat landscape means entities should embed a comprehensive and long-term commitment to cyber awareness and resilience within their company culture.,” he said.
“This may include regular and ongoing delivery of cyber-related training and awareness, and education messages to staff.”
Last month, ASIC reported a “significant number” of cyber incidents which occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
RI Advice was also ordered to pay $750,000 towards ASIC’s costs.
Shortly after the decision, CEO and founder of cyber security provider, StickmanCyber, Ajay Unni, said “businesses must learn” from the landmark decision.
"With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyber attack, it is more a question of when an attack will occur,” Mr Unni said.
“Businesses, regardless of their size, type, and industry, need to enhance their cyber resilience.”