Report on Cyber Resilience, highlights the need for proper cyber security, this time from ASIC

April 6, 2015 |

As if it were necessary to say that data security was a matter of proper corporate governance the Australian Security and Investment Commission (“ASIC”) has made that abundantly clear with its Report 429 Cyber Resilience: Health Check.  As far as ASIC is concerned it has a role to ensure that companies maintain proper cyber security standards. This is a very important development because ASIC regards implementation and maintenance of core privacy principles are part of a board’s responsibilities and a failure to do so may attract regulatory action.  Unlike the Privacy Commissioner ASIC is a practiced litigator and prepared to take action and send messages to the market as to what standards are expected of corporations.

The purpose of the Report is described, at paragraph 10, as:

The purpose of this report is to assist our regulated population improve their cyber resilience by:
(a) increasing awareness of cyber risks ..
(b) encouraging collaboration between industry and government and identifying opportunities for our regulated population to improve its cyber resilience.. ; and
(c) identifying how cyber risks should be addressed as part of current legal and compliance obligations that are relevant to ASIC’s jurisdiction.

The Report deals with many of the key data security issues including proper training being in place, proper response plans in the event of a breach, proper levels of cyber protection and the securing of data.

In its “Health Check Prompts” ASIC addresses those matters at the heart of proper privacy practices when it states, for example:

Cyber risks can arise from within the business and you may want to review how well informed your staff are of your policies and procedures, and encourage good practices for cyber risk management. Good practices can include:
  • using strong passwords and changing them periodically;
  • logging out of systems when they are not in use, particularly when using remote access; and
  • raising awareness of the types of cyber attacks that may occur, and how to report them.

ASIC regards cyber security as being part of a director’s legal obligations when it states:

You may not have considered how cyber risks may affect your directors’ duties and annual director report disclosure requirements.
We encourage you to review your board – level oversight of cyber risks and cyber resilience as part of your systems managing your material business risks, and consider if you need to incorporate greater consideration of cyber risks into your governance and risk management practices.
and that it impacts upon the continuous disclosure obligations when ASIC states:
A cyber attack may need to be disclosed as market – sensitive information.

At Appendix ASIC grounds its powers in this area, amongst other sections as:

Corporations Act:
  • s 180(directors duties); and
  • s 140 (effect of constitution and replaceable rules).
A director or officer of a corporation must:
  • act with reasonable care and diligence; and
  • act consistently with the powers and functions set out in the company’s constitution or rules

as well as sections 292, 299, 710, 715, 674, 677 and the ASX Listing Rules (among other provisions)

Interestingly ASIC refers to and relies upon the US NIST Cyber Security Framework as being, at paragraph 204:

As it references global standards for cybersecurity, it can serve as a model for international cooperation to strengthen the cybersecurity of organisations.

ASIC regards proper cyber security as part of its regulatory function. It is arguable that both ASIC and the Privacy Commissioner are occupying the same regulatory space.  That in itself does not preclude ASIC from having the standing to take action.  In fact given there is no small business operator exemption that exists in the Privacy Act it can cover a broader area.  It’s focus is more related to data security but not necessarily confined to that issue given the breadth of the Report.  In terms of practical effect ASIC is by far a more assertive regulator than the Privacy Commissioner who has not taken any civil penalty proceedings to date and, based on speeches by the Privacy Commissioner, tends to continue his focus on education.

On another level this represents a significant development because it may enable individuals affected by lax cyber security resulting in breachs and interference with their personal information to take action under the Corporations Act.  Unlike the Privacy Act, where the Privacy Commissioner is the gatekeeper on most steps available to individuals, shareholders may bring actions in their own right under the Corporations Act.  Shareholders may have a basis to take action against directors and corporations whose poor practices have resulted in loss of sensitive data, including personal information.

The ASIC report makes it clear that disclosure of breaches may be part of a corporations responsibilities irrespective of any mandatory data breach notification regime in place, or not, as part of its continuous disclosure obligations.  At this stage there is no mandatory data breach notification legislation in place.  That said recommendation 38 of Parliamentary Joint Committee on Intelligence and Security Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 is:

The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015.

The Government’s response is:

The Government agrees to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on draft legislation.

The ASIC Report was covered by the Australian Financial Review in Lawyers warn of cyber crime escalating compliance costs.  It provides:

Companies will face greater compliance and regulatory costs in cyber risk management as the Australian Securities and Investments Commission steps up its focus on incident reporting, lawyers say.

A perceived increased risk of e-commerce and cyber-attacks, the introduction of proposed metadata retention laws and a mandatory data breach notification scheme following a toughening of privacy laws will also propel growth in the cyber risk insurance market, they warn.

ASIC’s recent report on cyber resilience raised concerns about the inadequacy of existing business continuity or professional indemnity policies, and the potential threat future attacks could pose to the integrity and efficiency of global markets and the financial system.

HWL Ebsworth insurance and dispute resolution partner, Andrew Miers said cyber insurance was a relatively new product that companies had been slow to take up in Australia.

 Previously cyber incidents were thought mainly to be the domain of the Privacy Commissioner, but ASIC clearly signalled it would take an interest in businesses’ cyber risk management and incident reporting, Mr Miers said.

This significantly “upped the ante” and meant companies would face greater compliance and regulatory burden in cyber risk management, he added, including potential regulatory scrutiny by ASIC in the event of an incident.

“This is the first time ASIC has so explicitly linked those obligations to cyber risks,” Mr Miers said.

Minter Ellison partner, Paul Kallenbach said if the federal government’s proposed metadata retention laws, currently before the Senate, were passed, it could raise further cyber resilience concerns for companies. The proposed laws would require organisations to keep metadata for two years.

 Mr Kallenbach said given the metadata of some affected organisations might be commercially sensitive, there was a risk the retention obligation would unintentionally create a “honeypot” for cyber attacks by third parties.

The introduction of the mandatory data breach notification scheme by the end of the year would also place an increased regulatory compliance and financial burden on organisations, and not just those affected by the data retention legislation, but also those subject to federal privacy laws, he said.

“It is therefore imperative that all Australian companies revisit their cyber resilience plans,” Mr Kallenbach said.

Clayton Utz partner, David Gerber said the development of the cyber risk insurance market would be propelled by the introduction of the mandatory data breach notification scheme, just as it had been in the United States where it already existed.

 “Because you’re obliged to bring data breach issues to the attention of regulators and your clients, you face reputational risks and costs that you might not have otherwise had were you able to deal with those sorts of things privately,” he said.

While global businesses were increasingly taking up cyber risk insurance as a risk mitigation tool, DLA Piper partner Jacques Jacobs warned that such policies were not a solution to dealing with data breach attacks.

Mr Jacobs said ASIC’s guidance would encourage those businesses that had not taken prevention strategies seriously to reflect on whether they are adequately prepared.

“We’re increasingly seeing increasing emphasis being placed on the responsibilities of boards of directors,” he said.

 “If a company suffers losses and they are unable to mitigate losses because of a lack of insurance, it will focus the attention of shareholders and customers on what steps the company itself took to manage the risk of such an attack and part of that will include the directors role.” 

Leave a Reply