Longo said the board understood that cyber is a risk in general, but the challenge was to determine the appropriate level of investment to minimize the risk of intrusion.
“It depends on the size of the business, the nature of the business, the advice they’re getting about the systems to implement,” he said.
Longo said ASIC cannot preemptively tell companies what investments they need.
“If things go wrong, ASIC will look to see if they have taken reasonable steps and made reasonable investments to protect themselves against this type of attack, commensurate with the risks their business poses,” he said. I got
Longo suggested no imminent action was planned against the directors of Optus and Medibank Private.
“I think the top priority at this stage is to encourage the board and remind them of their obligations in this area,” he said.
A federal court ruled last year that financial planning licensee RI Advice, formerly owned by ANZ and now part of Insignia Financial, failed to protect against nine cyberattacks that compromised sensitive customer data. In doing so, it was found to have violated the Financial Licensing Act.
“Having systems and processes to address this risk is a condition of the license,” Longo said.
The court found that RI Advice engaged in a number of inadequate risk management practices throughout its network. This includes not having up-to-date antivirus software, system backups, email filtering or quarantining on some of its authorized representatives, and poor password practices. will be
Poor cybersecurity risk management resulted in numerous cyber incidents affecting clients in the six years to May 2020.
In his ruling, Judge Helen Rofe made clear that cybersecurity should be a top priority for all AFS licensees.
While she admits that ‘[i]It is impossible to reduce cybersecurity risk to zero… Through proper cybersecurity documentation and management, it is possible to significantly reduce cybersecurity risk…”
The number of high-profile data breaches has skyrocketed since last year. Optus and Medibank, as well as companies such as Vinomofo, MyDeal, Australian Clinical Labs, and another local subsidiary of Singtel, Dialog, have revealed that they have been compromised with varying levels of complexity.
ASIC is not the primary cyber regulator.
The Commonwealth Government’s Australian Cyber Security Center, located within the Australian Signals Authority, provides advice and information on how to protect your business online and advises individuals, businesses and critical infrastructure operators in the event of a cyber incident. provide.
The Australian Cyber Security Center has received over 76,000 cybercrime reports from 2020-2021.
The Center reported that the average cost per cybercrime report has risen to over $39,000 for small businesses and over $88,000 for midsize businesses.