Monday, October 23, 2023

Return to listings

ASIC takes aim at boards and executives for cybersecurity failures

In an era where digitalisation has become synonymous with business operations, the threat landscape has evolved and cybersecurity has taken centre stage.

The Australian Securities and Investments Commission (ASIC) is stepping up its efforts to hold boards and executives accountable for cybersecurity failures within their organisations, which was addressed by ASIC Chair Joe Longo at the Australian Financial Review Cyber Summit last month. This proactive approach is aimed at safeguarding not only corporate data but also shareholder value and public trust.

The growing cybersecurity threat

Malicious actors, ranging from nation-state hackers to cybercriminal syndicates, constantly evolve their tactics to breach organisational defences. The consequences of such breaches can be catastrophic, causing financial losses, reputational damage, and, in some cases, even endangering national security.

In this landscape, ASIC recognises that cybersecurity is no longer solely an IT issue but a critical aspect of corporate governance as cybersecurity breaches can result from poor decision-making, insufficient investment in security measures, or a lack of awareness at the board and executive levels.

ASIC's Regulatory Shift

ASIC has traditionally been associated with financial regulation, but it is now expanding its focus to address the cybersecurity risks that businesses face. The regulatory body is leveraging its authority to ensure that boards and executives take their cybersecurity responsibilities seriously.

Key Initiatives by ASIC

  • Strengthening Reporting Requirements: ASIC has introduced new regulations that compel companies to disclose material cybersecurity incidents and risks to investors and the broader public. This increased transparency ensures that stakeholders are informed about the cybersecurity posture of the organisations they invest in.

  • Focus on Risk Management: ASIC is encouraging organisations to implement robust risk management frameworks that prioritise cybersecurity. Boards and executives are being urged to integrate cybersecurity into their overall risk management strategy.

  • Director and Officer Accountability: ASIC is examining the role of directors and officers in managing cybersecurity risks. Those who fail to meet their obligations could face legal action, including penalties and disqualification from corporate positions.

  • Cybersecurity Resilience Assessments: ASIC is promoting regular cybersecurity assessments and audits to identify vulnerabilities and weaknesses within organisations. This proactive approach aims to prevent cyber incidents rather than just responding to them.

Benefits of ASIC's Approach

ASIC's proactive stance toward holding boards and executives accountable for cybersecurity failures offers several benefits:

  • Improved Cybersecurity Posture: Organisations are incentivised to enhance their cybersecurity measures, reducing the likelihood of breaches and associated financial and reputational damage.

  • Enhanced Shareholder Confidence: Increased transparency and accountability help build shareholder trust, leading to a more stable investment environment.

  • Deterrence of Cybercriminals: When boards and executives are held responsible for cybersecurity failures, it sends a strong signal to cybercriminals that Australian businesses are not easy targets.

  • National Security: Protecting critical infrastructure and sensitive information is essential for national security, and ASIC's approach contributes to this goal.

Implications for Directors & Officers

Directors and Officers are not expected to understand the technical ins and outs of cyber-attacks or the finer details of their company’s IT systems and hardware. However, they must know how to govern privacy and cyber-security risks. Here are three key areas to consider:

1. Understanding the Threat Landscape

Acquiring a comprehensive grasp of the threat landscape within the organisation enables boards and executives to grasp the potential repercussions of cyber risks.

2. Maintain Robust Privacy and Cybersecurity Compliance Protocols

3. Implement Core Components of a Cybersecurity Program

Leveraging the Australian Cyber Security Centre's Essential Eight Maturity Model serves as an effective approach to mitigating cyber threats.

With you all the way

Recognising the interconnectedness of cybersecurity and corporate governance, ASIC's proactive approach to holding boards and executives accountable for cybersecurity failures is a significant step toward creating a more secure business environment in Australia.  

To find out how Honan can help you manage these risks, reach out directly to discuss your business’s unique needs.

Trent Woodward

Head of Client Service (SA)  

Return to listings


Honan Insurance Group Pty Ltd is now fully owned by Marsh Pty Ltd. To find out more, speak to your broker or read the announcement