Save articles for later
Add articles to your saved list and come back to them any time.
Company directors could be in breach of their duties if their companies fail to adequately deal with cyberattacks, warns Australian Securities and Investment Commission chairman Joe Longo.
This could include the directors of high-profile companies such as Medibank, Optus and consumer finance group Latitude, which have been the subject of high-profile and damaging cyberattacks over the past year.
Cyber Security Minister Clare O’Neil says company boards are taking action to prevent the growing threat of cyberattacks.Credit: Peter Rae
“For all boards, cybersecurity and cyber resilience have to be top priorities,” Longo said in a speech to the Australian Financial Review cyber summit on Monday.
“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” he said.
ASIC’s research has shown there is often a disconnect between a company board’s oversight of cyber risk, management reporting on this topic to their board, as well as the identification and assessment of risks and how controls are implemented. Longo said this disconnect must be addressed if the board wanted to meet its legal obligations.
“Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties,” he said.
The data of 10 million Medibank customers was stolen in a cyberattack.Credit: Steven Siewert
The Office of the Australian Information Commissioner has opened investigations into the cyberattacks on Optus, Medibank and Latitude, which could open the door for ASIC to take legal action. This is on top of potential class action lawsuits over the cyberattacks.
A year ago, Optus revealed that hackers had stolen the personal data of more than 9 million of its customers. Weeks later, Medibank was the subject of a cyberattack in which the data of 10 million former and current customers was stolen, as well as some sensitive customer health records. Latitude also reported it was the victim of a significant cyberattack.
The information commissioner investigations will focus on whether these companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
Longo also singled out recent hack of Latitude Group, which was blamed on a third-party service provider, as a risk that companies must manage effectively.
“If you’re not evaluating your third-party cybersecurity risk, you’re deceiving yourself. And recent events show that you will suffer for it,” Longo said.
ASIC chairman Joe Longo says company directors will be held responsible if their organisations have an inadequate response to cyber attacks. Credit: Peter Rae
Cybersecurity Minister Clare O’Neil, also appearing at the summit, unveiled the government’s next stage of plans to help combat the growing cybersecurity issues for Australian companies with a national security framework.
“Part of our strategy is to build six protective layers around our population to make sure that business and industry and government are doing everything that they can to make sure that our citizens are kept safe from this terrible problem,” she told the ABC on Monday morning.
“These shields will help protect our business, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem. It will mean a cohesive, planned national response that builds to a more protected Australia,” she said at the summit.
O’Neil, who blasted Optus last year for its lax security after its hacking incident, has taken a more conciliatory approach since then. She said Australian businesses were taking note of the growing threat.
“Those high-profile attacks that I mentioned off the top were deeply painful events for our country. If there’s a silver lining, it is that for every board that I talk to now, cybersecurity is a top priority for the board, and it is one they discussed in every single board meeting,” she said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
From our partners
Source: Read Full Article