Watchdog warns company directors over cybersecurity failures.

Company directors could breach their duties if their companies fail to deal with cyberattacks adequately, warns Australian Securities and Investment Commission chairman Joe Longo.

This could include the directors of high-profile companies such as Medibank, Optus and consumer finance group Latitude, which have been the subject of high-profile and damaging cyberattacks over the past year.

Longo said in a speech to the Australian Financial Review cyber summit.

• “For all boards, cybersecurity and cyber resilience have to be top priorities,”
• “If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” he said

ASIC’s research has shown there is often a disconnect between a company board’s oversight of cyber risk, management reporting on this topic to their board, and the identification and assessment of risks and how controls are implemented.

Longo said

• This disconnect must be addressed if the board wants to meet its legal obligations.
• “Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties”

The Office of the Australian Information Commissioner has opened investigations into the cyberattacks on Optus, Medibank and Latitude, which could open the door for ASIC to take legal action. This is on top of potential class action lawsuits over the cyberattacks.

A year ago,

• Optus revealed that hackers had stolen the personal data of more than 9 million of its customers.
• Weeks later, Medibank was the subject of a cyberattack in which the data of 10 million former and current customers was stolen, as well as some sensitive customer health records. Latitude also reported it was the victim of a significant cyberattack.

The information commissioner investigations will focus on whether these companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

Longo also singled out recent hack of Latitude Group, which was blamed on a third-party service provider, as a risk that companies must manage effectively. He said

• “If you’re not evaluating your third-party cybersecurity risk, you’re deceiving yourself. And recent events show that you will suffer for it,”

Cybersecurity Minister Clare O’Neil, also appearing at the summit, unveiled the government’s next stage of plans to help combat the growing cybersecurity issues for Australian companies with a national security framework.

she told the ABC on Monday morning.

• “Part of our strategy is to build six protective layers around our population to make sure that business and industry and government are doing everything that they can to make sure that our citizens are kept safe from this terrible problem,”
• “These shields will help protect our business, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem. It will mean a cohesive, planned national response that builds to a more protected Australia,” she said at the summit.

The ‘nightmare’ cybersecurity scenario being war gamed by government

O’Neil, who blasted Optus last year for its lax security after its hacking incident, has taken a more conciliatory approach since then. She said

• Australian businesses were taking note of the growing threat.
• “Those high-profile attacks that I mentioned off the top were deeply painful events for our country. If there’s a silver lining, it is that for every board that I talk to now, cybersecurity is a top priority for the board, and it is one they discussed in every single board meeting,”

Source

Colin Kruger September 18, 2023 — 3.22pm https://amp-smh-com-au.cdn.ampproject.org/c/s/amp.smh.com.au/business/companies/watchdog-takes-aim-at-company-directors-over-cybersecurity-20230918-p5e5h9.html