Serve and protect

Cathie Armour outlines the key responsibilities facing directors in the ever-changing world of cyber security.

The digital economy provides great opportunity for economic growth. Australians are rapid adopters of technology with 7.5 million Australians accessing the internet via their mobile phones in 2013, an increase of 33 per cent from 2012, according to a report from the Australian Communications and Media Authority.

At the same time, there has been a significant growth in the number and severity of global cyber-attacks in the last few years with the estimated annual cost of cyber-attacks to the global economy at more than $400 billion, according to the Centre for Strategic and International Studies.

A cyber-attack can affect us all. It can undermine businesses and impact our economy. It may also erode investor and financial consumer trust and confidence in the financial system and wider economy.  The question for directors is how cyber resilient is your organisation? Cyber resilience is an organisation’s ability to prepare for and respond to a cyber-attack and continue operation during, or quickly adapt and recover from, a cyber-attack.

Financial sector
Entities in the financial sector licensed by the Australian Securities and Investments Commission (ASIC), have legal obligations including risk management and disclosure requirements and ASIC expects cyber resilience will be addressed as part of these obligations. Depending on the severity, a failure to meet these obligations could have consequences for an entity holding a financial services licence – fines, penalties, enforceable undertakings, licensing conditions, or a licence suspension or cancellation. For directors or company officers, it could result in being disqualified from your role.

Director responsibilities
More broadly across all industries, effective cyber resilience requires leadership and a commitment of resources to develop strategies, including responses to a cyber-attack. ASIC encourages company officers to assess their entity’s threats and vulnerabilities now, and understand what, where and how its most valuable information is held. This assessment will allow an entity to prioritise resources to mitigate the effect of a cyber-attack. Effective corporate governance involves active engagement by directors and the board in managing cyber risks.  Directors need to ask specifically:

(a) How cyber risks may impact on your director’s duties and annual director report disclosure requirements.
(b) Whether you have appropriate board-level oversight of cyber risks and cyber resilience.
(c) Has a consideration of cyber risks been incorporated into your governance and risk management practices, and controls and measures for managing those risks?

Directors of listed entities must ensure annual disclosure of material business risks that could adversely affect the achievement of the financial performance or financial outcome described. Cyber risks and resilience may need to be taken into account in an assessment of these material business risks.

Cyber risks may also impact on directors’ disclosure requirements to investors. A prospectus or information statement requires disclosure of relevant information that may affect an investor’s decision, including the nature of the risks of investing in the securities. 

Directors may consider whether cyber risks form part of the information that investors and their advisers would reasonably require to assess any offer, and should be disclosed in a prospectus. For listed entities, directors must immediately disclose market sensitive information once they become aware of the information, therefore directors need to consider how and when a cyber-attack may need to be disclosed.

Global standards
ASIC considers the US-developed National Institute of Standards and Technology Framework has particular relevance as a standard to manage cyber resilience for financial service providers operating globally. It is expected to become a de facto global benchmark for financial markets.

The Australian government has established the Computer Emergency Response Team (CERT) which provides free advice and support on cyber threats and vulnerabilities. ASIC encourages major Australian businesses to partner with CERT before an incident occurs, and report all cyber security incidients to CERT.