ASIC investigating how directors prepare for and respond to cyber attacks
September 18, 2024 |
The Australian Financial Review reports in ASIC pursues board directors over cyber breaches that it is investigating how directors deal with cyber attacks, both before and after they happen. The ASIC Chair’s speech Effective compliance: Perspectives from the regulator highlights this increased focus.
ASIC has been quite active in taking action against companies who have suffered damage as a result of data breaches, most notably its civil penalty proceeding against RI Advice.
The speech by the ASIC chair provides:
The British philosopher Bertrand Russell once said that ‘we have, in fact, two kinds of morality, side by side: one which we preach, but do not practise, and another which we practise, but seldom preach.’
It’s the job of every compliance professional in the country to prove Russell wrong – every day. Because, when not taken seriously, compliance can devolve into a mere lip service, where what is practised isn’t preached, and what is preached not practised.
On the other hand, when true compliance is present, we see alignment between what is preached and what is practised. What is true compliance? It’s a culture of compliance built on integrity, trust and ethics in how people work – and not simply legal compliance with the rules. When there’s alignment between what’s preached and what’s practised, it’s much easier to nurture trust by consumers and investors. And without that trust as a foundation, the tower of business comes toppling down. That’s why, as I’ve said before, a profitable business is – and must be – a compliant one.
So the role of a compliance professional is a critically important one. You are part of the fabric of the business – not only to help your organisation meet its legal obligations, but to help create an ethical culture, where employees act in the best interests of its customers. Viewing compliance through this lens means it’s about more than meeting obligations – it’s about meeting, even exceeding, expectations – both investor and societal.
I would like to talk to you today about your roles as compliance professionals – what that means in practice, and how those roles can be most influential, rewarding and effective. A fundamental element of this is the need to keep an open and curious mind – one that asks questions, and never stops learning. This approach enables the compliance professional to play a key strategic role in the boardroom, and this should be everyone’s objective.
I will finish with some remarks on a number of key areas of focus for ASIC – and for you, in your roles as compliance specialists.
The changing face of compliance
Let’s face it: the items stacked on the compliance professional’s desk have dramatically multiplied in the last five to 10 years. Rapid advances in technology present enormous opportunities, but also increasing risk of scams and cyber-attacks. The growing global consensus on sustainability issues is reflected in Australia in the recent passing of a bill on mandatory climate-related reporting. This, too, is but one part of a larger ESG picture.
I think it’s fair to say that the demands and expectations on compliance professionals are growing exponentially. Regulatory expectations are becoming ever more complex and nuanced.
In a recent global survey of Chief Compliance Officers, KPMG found that 84% expected to face increasing regulatory expectations and scrutiny in the next two years. 34% say new regulatory requirements are the biggest compliance challenge, followed by data analytics (30%). 36% rate cybersecurity as their top compliance improvement priority, followed by data privacy (35%). 41% say ESG compliance programs are still in the planning and development stage.
ASIC is of course keenly aware of the impact of law reform and new regulatory requirements on business and markets. This is why, as industry adjusts to new requirements, our approach has generally been to take a pragmatic and proportionate approach to supervision and enforcement during the transition phase of any implementation.
And from the perspective of a compliance officer, when confronted with such a wide range of ever-changing issues, it’s helpful to return to the essential functions of a strong, fit-for-the-future compliance function.
It’s the role of the directors of a company to set the tone, establish and lead a culture of compliance. This includes monitoring the arrangements the company has in place to ensure compliance with regulatory obligations. But it’s the compliance professionals who are closer to the nuts and bolts of how the business runs. They actually do the work to support and implement those arrangements.
They’re the ones who can first spot the risks, and propose how to manage them – in a way that is commercial, legal, ethical, cost-effective and forward-looking – in consultation with the board and others. They’re the ones who work with management to implement the systems and controls, and see that they’re followed. And they’re the ones who communicate with and report to the board, calling out what’s working and what’s not, so that the board can hold management accountable.
And to do this effectively takes more than just a checklist approach. An effective regulatory compliance program must reflect the organisation’s key values and ethos – and focus on putting customers at the centre of how the organisation operates.
The need for a curious mind
A compliance professional is, in essence, a gatekeeper – a trusted adviser to the board, relied on for well-thought-out advice.
Public accountability for compliance will naturally fall on the directors. And one way for them to meet these expectations is to rely on the advice and performance of the compliance professionals in their organisation. Good advice and good service from you will protect the organisation from financial and non-financial risks – improve its operations – and uphold its reputation.
As compliance continues to be a key focus for directors, and a significant part of any meeting of directors, the strategic role of compliance professionals becomes more important.
In Australia, we’ve seen large, well-resourced businesses that have compliance systems and processes in place. And still, they’ve failed to prevent the very issues they were designed to avoid. Why? Because regulatory compliance was undermined by the culture and ethics of the organisation. They had the appearance of compliance – but it was a hollow, empty kind of compliance.
Written policies and procedures provide the framework for compliance. Systems, processes, and technology can be used to underpin and support compliance. But compliance in practice requires a culture of integrity, ethics, and trust.
So, what are the elements of such a culture? It is all about asking the right questions.
There’s no rule book that maps out every step of every response in every possible circumstance. What’s needed is an attitude of compliance, based on a curious mind that asks the right questions. Questions like What are our obligations? What are the risks? How can we manage them? What systems and controls should be in place to ensure we meet our obligations? Is what we are doing both legal and ethical? How can we make sure they’re being followed? Do I have an open line to the board? Am I keeping them informed?
Asking these – and other relevant – questions presents you as compliance professionals with an opportunity: the opportunity to take what you’re seeing, and influence your organisation to improve its performance. But this can only happen when you remain firmly committed to questioning and challenging management – and to continually upskilling and learning to ensure peak performance.
Key areas of focus for ASIC
So, if the role of the compliance professional is a complex one that requires alertness at all times to the myriad issues of the day – what are some of the issues that are – or should be – currently on your radar?
Perhaps the first to come to mind is mandatory climate reporting, which will, following Royal Assent, become the law. Compliance teams will obviously play a crucial role in ensuring that their organisations are able and ready to meet these new reporting obligations.
As I have previously observed, the introduction of a compulsory climate risk disclosure regime is the biggest change in Australia in financial reporting and disclosure standards in a generation.
We know these reporting standards are new and that some disclosures are novel – perhaps more forward-looking than those required to be disclosed under other periodic financial reporting obligations.
We also know there will be a period of transition as industry continues to build capability and implements the organisational changes that will be required to comply with the regime. We understand this. This is why, as I said before, we will be taking a ‘proportionate and pragmatic’ approach to the supervision and enforcement of the regime while industry adjusts to these new requirements.
In this regard, entities may wish to consider utilising existing processes and procedures that have likely been refined over many years to prepare and verify financial reporting disclosures. Consider the extent to which sustainability reporting disclosures can be integrated into existing risk and compliance measures. This applies to all entities that will eventually be captured by this regime – start engaging with these new obligations early, so you can be prepared when the time does come for you to lodge your first report.
Now to our work on greenwashing – and here I want to draw a distinction between ASIC’s enforcement approach to the new mandatory climate reporting regime, and our enforcement approach to misleading and deceptive greenwashing misconduct.
Our greenwashing work involves a focus on sustainability statements being made voluntarily by entities about their green credentials. As I’ve said many times before, this work is based on the longstanding prohibition against misleading and deceptive conduct and comes back to ensuring that you do what you say you are going to do.
As Justice Horan stated in his judgment on the Mercer Superannuation case, ‘it is vital that consumers in the financial services industry can have confidence in ESG claims made by providers of financial products and services […] Any misrepresentations in relation to ESG policies or practices associated with financial products or services, whether as an aspect of “greenwashing” practices or otherwise, undermines that confidence to the detriment of consumers and the industry generally.’[5]
Another critical issue for all of us – government, business and regulators – is of course technology, and in particular AI. As it rapidly reshapes so much about the way we work, the responsible development and ethical use of AI is increasingly urgent and critical. We need a strong regulatory framework to steer the course of AI toward safe and responsible development and use, and we’re taking small steps in this direction.
At ASIC, our focus is on the range of risks associated with the use of AI that arise in financial services and markets. These include risks around bias and discrimination, loss of privacy, misinformation and disinformation, lack of explainability, and transparency, unethical conduct and copyright issues. Safe and responsible use of AI can only be realised through strong governance, transparency and accountability, including human oversight, as well as robust information security to protect data and privacy.
But we’re not working from a blank sheet of paper. Existing laws and guidance apply to protect consumers and investors and don’t change with new technology. Businesses and individuals who develop and use AI are already subject to various Australian laws. These include laws relating to privacy, online safety, directors’ duties, AFSL obligations, corporations, intellectual property and anti-discrimination, which apply to all sectors of the economy.
But, of course, this is a changing space. Recently the Department of Industry, Science and Resources issued a consultation paper proposing mandatory guardrails for situations where AI use is considered high risk. The guardrails aim to address risks and harms from AI, build public trust, and provide businesses with greater regulatory certainty. The controversial Californian AI legislation is currently awaiting Governor Newsom’s approval. I’m sure we will all watch these developments with great interest.
These are just a few of the current issues that are top of mind for ASIC and – I’m sure – many of you here today.
I’ve no doubt there are others – far more than I can mention here. But in all cases, the solution is the same: a clear commitment to learning and to asking questions.
Conclusion
In conclusion, as compliance professionals, it’s your job to be the gatekeeper, the trusted advisor to the board.
Your role is to refine the systems and controls, and to call out what’s working and what can be improved. That will enable the board to look ahead to spot the risks, think about how to balance the legal and commercial perspectives, and monitor the compliance arrangements that the company has in place.
And so, more than ever, you play an influential and strategic role in the boardroom – a role that is critical in ensuring effective compliance.
The article provides:
The corporate regulator has revealed it is investigating how directors have prepared for and responded to cyberattacks, with legal action looming against some unnamed individuals.
ASIC chairman Joe Longo has previously warned that the watchdog would bring charges against directors who fail to adequately prepare for hacks, and ASIC commissioner Simone Constant confirmed the process was under way, but declined to name the companies.
Ms Constant said companies would not get away with paying lip service to cyber defence and must provide evidence they had performed their duties if their organisation was breached by cybercriminals
“With one cyberattack reported every six minutes in Australia, ASIC’s message for directors is to make sure your organisations have appropriate cybersecurity measures in place – this is your responsibility,” Ms Constant said, ahead of an appearance at The Australian Financial Review Cyber Summit on Tuesday.
“The potential harm to companies, the economy and, perhaps worst of all, individuals that cyber failures and data leaks can inflict is deeply concerning. ASIC wants to see meaningful action from directors and boards.”
Since two high-profile cyber breaches at Optus and Medibank in 2022, companies have seen plenty of evidence that legal action and reputation damage can drag on for years after a breach.The Optus hack has attracted a class action lawsuit as well as lawsuit brought by the communications regulator, which alleges the telco did not protect customers’ confidential information. Medibank is facing the threat of huge fines from the Office of the Australian Information Commissioner after hackers stole personal health files of 9.7 million Australians.
ASIC has only taken court action over a company’s poor cyber record once before. In 2022, RI Advice was ordered to pay $750,000 by the Federal Court after the financial services firm suffered numerous cyber incidents between 2014 and 2020, including one where hackers had access to several thousand clients’ files undetected for five months.
Mr Longo has warned that cybersecurity is no longer a fringe issue for non-tech specialist directors.
“If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses,” he said.
ASIC will write to stockbrokers and futures dealers on Tuesday, reinforcing its expectations that they must have robust business continuity plans if their operations are disrupted by a cyber incident or IT outage. These plans must be regularly reviewed, updated and tested.
The regulator said it expected that oversight and accountability for critical business services and business continuity must come from the highest levels, and organisations must notify ASIC immediately if a major event occurred.
“This is not intended as a ‘set-and-forget’ process. We expect market participants to maintain a strong and continued focus on their technological and operational resilience,” the letter states.
“We will also consider taking enforcement action where we identify serious failures to comply with the resilience rules.”
The warning comes as new data showed boards still have holes in their cyber response plans despite repeated warnings from regulators.
A survey of 160 senior in-house lawyers conducted by law firm Herbert Smith Freehills found half of the respondents said their boards had not been through a cyber simulation, which is considered a basic element of cyber resilience.
In the event a company is extorted by hackers, 36 per cent of respondents said their boards had still not decided whether they were open to paying a ransom, while 58 per cent said it would take an actual cyberattack to motivate their organisation to meaningfully improve their data risk management.