ASIC chair calls for Australian organisations to prioratise cyber security
November 13, 2023 |
The Australian Securities and Investments Commission (ASIC) has had a reasonably long interest in corporates maintaining proper cyber security. Last year it successfully prosecuted a claim in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) for RI Advice Group failing to maintain proper cyber security. The chair of ASIC today released Spotlight on cyber: Findings and insights from the cyber pulse survey 2023. The warnings about weaknesses in cyber defences is not surprising to those who work in the privacy and cyber security space. Some organisations take the problem seriously, many don’t. It is yet another clarion call for proper regulation and then proper enforcement.
The statement provides:
The Australian Securities and Investments Commission (ASIC) has called for organisations to prioritise their cybersecurity after a recent survey shows 58 percent of Australian businesses have limited or no capability to protect confidential information adequately.
The inaugural Cyber Pulse Survey commissioned by ASIC, also highlighted that 44 percent of participants do not manage third-party or supply chain risk and 33 percent of participants do not have a cyber incident response plan.
ASIC noted the results of the voluntary self-assessment survey have exposed deficiencies in cybersecurity risk management of critical cyber capabilities, indicating that organisations are reactive rather than proactive when it comes to managing their cybersecurity.
Joe Longo, chair at ASIC said for all organisations, cybersecurity and cyber resilience must be a top priority.
“ASIC expects this to include oversight of cybersecurity risk throughout the organisation’s supply chain – it was alarming that 44 percent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.
Participating organisations indicated well-developed capabilities in identity and access management, governance and risk management, and information asset management, with large organisations consistently self-reporting more mature cyber capabilities.
Due to competing demands for limited human and financial resources, the survey showed that small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.
“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cybersecurity risks,” Longo said.
“An effective cybersecurity strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”
Air marshal Darren Goldie, national cybersecurity coordinator said cybersecurity must be a priority for everyone, including individuals and businesses large and small.
“Support is available – the national office of cybersecurity works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents,” he ended.
The Executive Summary of the Report provides:
A cyber attack can disrupt an organisation’s operations and result in significant financial, legal and reputational harm that can quickly spread beyond a single entity. Recent high-profile cyber incidents have highlighted the need for all organisations to have robust cyber capabilities.
The Australian Securities and Investments Commission (ASIC) developed the cyber pulse survey 2023 (survey) to better understand the cyber maturity of regulated organisations in this ongoing heightened threat environment.
The anonymous, voluntary survey was designed to help organisations assess their cyber resilience and allow them to benchmark their cyber maturity against their peers.
The survey measured participants’ ability to:
› govern and manage organisation-wide cyber risks
› identify and protect information assets that support critical services, and
› detect, respond to and recover from cyber security incidents.
Ninety-five per cent of survey participants elected to receive an individual report with insights on how they assessed their cyber resilience capability compared to similar organisations in their industry. Individual feedback reports measured a participant’s cyber maturity compared to their peers across six functions, with each function given a weighted average maturity score based on the organisation’s responses. These scores were reported against the average weighted score for each function across an organisation’s selected industry and size.
ASIC has previously conducted cyber self-assessment surveys of firms operating in Australia’s financial markets: see Report 555 Cyber resilience of firms in Australia’s financial markets, Report 651 Cyber resilience of firms in Australia’s financial markets: 2018–19 and Report 716 Cyber resilience of firms in Australia’s financial markets: 2020–21.
While previous ASIC surveys were restricted to the financial markets sector, the 2023 survey invited participation from public companies, large proprietary companies and entities that hold licences or authorisations from ASIC. Other industry or government surveys of organisational cyber resilience have generally been limited to organisations of a certain size, within a specific industry or sector, or of a particular entity type. The 2023 survey was open to organisations across a broad range of sectors, entity types and sizes.
The findings from the survey will help ASIC identify gaps within certain sectors, guide initiatives and work with industry to uplift cyber resilience.
‘There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly.’
– Chair Joseph Longo
Key Findings include:
44% do not manage third-party or supply chain risk.
Organisations should consider the risks introduced by external third parties. These parties could be vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information.
Third-party relationships provide threat actors with easy access to an organisation’s systems and networks. An organisation can implement robust cyber security measures for its internal networks and IT infrastructure. However, unless these efforts are extended to third parties, it will be exposed to supply chain vulnerabilities.
› 58% have limited or no capability to protect confidential information adequately.
Ransomware threat actors target confidential information. To limit the impact of cyber breaches, organisations should identify, classify and secure confidential information – and limit what is stored.
To protect confidential information from unauthorised disclosure, alteration or destruction, organisations should classify information based on risk exposure in the event of a breach and implement cyber risk controls proportionate to the classification of the data.
› 33% do not have a cyber incident response plan.
A well-defined cyber incident response plan ensures that an organisation can quickly and effectively respond if its cyber security measures fail to prevent an incident. Regularly testing and updating the plan is necessary to maintain its effectiveness.
An effective response plan should be consistent with an organisation’s protocols for incident, emergency, crisis and business continuity management. It should also identify regulatory reporting obligations and interactions with critical third parties.
› 20% have not adopted a cyber security standard.
Cyber security standards and frameworks help organisations to improve their cyber security and resilience by taking a comprehensive approach to:
› identifying and managing cyber risk
› protecting confidential information
› mitigating and managing cyber threats, and
› guiding appropriate investment in cyber security.
An organisation should adopt and implement a cyber security standard that is proportionate to the nature, size and complexity of the organisation.
Implementing a cyber security standard begins with a cyber risk assessment and identification of gaps in cyber risk management.
Regarding small businesses the report stated:
34% of small organisations do not follow or benchmark against any cyber security standard
› 44% do not perform risk assessments of third parties and vendors
› 33% have no or limited capability in using multifactor authentication
› 41% do not patch applications
› 45% do not perform vulnerability scans, and
› 30% do not have backups in place.
The release of the report has been picked by by the Australian Financial Review with ASIC warns of ‘alarming’ holes in business’ cyber defences and The Australian reports with Cyber attack: ASIC exposed ‘deficiencies’ in how companies defend themselves against hackers and protect customer data. The Australian article provides:
Australia’s corporate regulator has revealed “deficiencies in cyber security risk management” among businesses as hackers shut down one of the county’s biggest port operators, potentially crippling Christmas deliveries and igniting chaos across national supply chains.
The Australian Securities & Investment Commission said most companies are being “reactive rather than proactive when it comes to managing their cyber security”, exposing Australians to malicious threats from criminals and state-sponsored hackers.
Crucially, almost two-thirds of Australian companies have limited or no capability to protect confidential information, according to an ASIC ‘pulse’ survey based on almost 700 voluntary participants. This “significant gap” is costing Australians $42bn a year, based on the latest data from the Australian Cyber Security Centre.
The report underscores how Australian businesses have so far failed to learn the lessons of a series of high profile cyber assaults on companies including Optus, Medibank, Toll, Nine Entertainment, Latitude Financial – and now DP World, which operates 40 per cent of the nation’s maritime freight.
The DP World attack has led to about 30,000 shipping containers being stranded, potentially sparking a supply shock that could push up inflation and force the Reserve Bank to raise interest rates for a fourteenth time, highlighting the risk cyber crime exposes to the broader economy.
The spate of attacks has prompted new government policy to force companies to report cyber ransom demands under Australia’s first mandatory no-fault reporting system.
But the centrepiece of the Albanese government’s cyber security strategy, will not ban companies from paying criminal gangs and state-sponsored offenders, despite a 45 per cent surge in global ransomware attacks this year.
Other key elements of the government’s seven-year cyber strategy includes an early-warning system for ransomware attacks, a ransomware playbook and a fightback strategy targeting “thugs and criminals”.
ASIC chair Joe Longo said: ‘For all organisations, cyber security and cyber resilience must be a top priority”.
“ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44 per cent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.
Cyber criminals hacked into the Medibank’s customer database of more than nine million policyholders after buying a logon from a Russian language website. When it didn’t pay a $15m ransom, it published a trove of personal information, including health claim data relating to pregnancy terminations, drug and alcohol abuse and various mental health conditions – leaving it with $150m clean-up bill.
At Optus customers were exposed to financial crime after cyber criminals hacked into its customer database in September last year and published a cache of personal and identity information, including drivers licence, passport and Medicare numbers and personal addresses.
Meanwhile, Australian Information Commissioner Angelene Falk is suing pathology group ACL, alleging it “seriously interfered with the privacy of millions of Australians” – an action that led to hackers stealing scores of sensitive health records, in February last year.
The data breach of ACL’s Meblab businesses wasn’t disclosed to Ms Falk for another six months, while the broader public and market were not informed until last October.
“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach,” Ms Falk said
“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web. As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”
Mr Longo said competing demands for limited human and financial resources often meant small organisations lagged behind in third-party risk management, data security and adoption of industry standards than larger entities.
But Mr Longo said there was a need to go beyond security alone and build up resilience.
“It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks.
“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”
But more promising, 95 per cent of survey participants have opted to receive an individual report which provided important insights on how their cyber resilience compared to their peers, “demonstrating a commitment to improving their organisation’s cyber resilience”.
The National Cyber Security Coordinator, Air Marshal Darren Goldie, welcomed the results of the report and acknowledged ASIC’s work to map out key gaps in corporate Australia’s cyber resilience.
“Cyber security must be a priority for us all, including individuals and businesses large and small,” he said.
“Support is available – the National Office of Cyber Security works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents. The 2023-2030 Australian Cyber Security Strategy will enable Australia to build and strengthen its cyber shields and develop our resilience to bounce back quickly.”