Cyber risk threat increasing and a top governance risk

4 minute read + PDF 04.06.2021 Paul Kallenbach

Perspectives on Cyber Risk 2021 highlights the increased action of regulators on cyber risk and how it is a key governance issue for boards and senior executives.

Our report, in its 6th year, discusses key regulatory changes relating to privacy and data protection, and how ASIC and other regulators are increasing their attention and enforcement action in this area. Cyber risk is, more than ever, a priority governance issue for all boards and senior executives.

VIEW REPORT

Key findings

Important observations for Boards and CEOs, and C-suite executives:

Testing of data breach response plans is increasing – from 34% to 55% in the last 12 months
Low adoption of external cyber frameworks – this needs to improve if organisations are to better manage cyber risks
Individuals remain the prime targets of bad actors – 70% of cyber incidents arise from phishing attacks
40% of survey respondents considered that cyber security risks have increased due to the shift to remote working

Woe betide anyone who doesn't consider cyber risk to be a top risk for organisations and the boards that lead governance. The risk is growing and regulators are watching."Paul Kallenbach, Partner

Regulatory changes on the horizon

Regulatory changes relating to cyber risk, privacy and data protection are looming, and ASIC and other regulators are increasing their attention and enforcement action.

For example, ASIC has identified 'deterrence-based enforcement action' as one of its critical cyber supervisory projects for 2021. In 2020 ASIC took its first cyber-related enforcement action against RI Advice Group, an Australian financial services licensee for failing to implement adequate policies and systems and ensure sufficient resources were deployed to manage cyber risk across its authorised representative group.

Areas of legal exposure include claims against directors, ASX continuous disclosure rules, personal liability for directors who breach their obligations, misleading and deceptive conduct, contract claims, and (for some organisations) APRA’s prudential standards relating to outsourcing.

According to Kallenbach, "The regulatory layers are confronting. Banks and other financial institutions, and the health and public sectors, for example, are subject to additional regulatory obligations. The Commonwealth is also flagging a significant overhaul of privacy laws to bring them closer to a GDPR standard. There is also pressure from customers, particularly for organisations that have suffered a significant data breach."

If directors are not asking difficult questions on cyber risk, I can’t see how they are discharging their directors’ duties.”
Paul Kallenbach

Areas of focus for Boards and Executives

Areas of focus Understand the supply chain

Understand the supply chain

Organisations should develop a thorough understanding of their supply chain, including their key vendors’ IT security and operational postures to mitigate against the introduction of weak links. APRA-regulated organisations must do this in order to discharge their obligations under APRA’s Prudential Standards.

Areas of focus Build for resilience

Build for resilience

COVID-19 has exposed the critical importance of resilience in the procurement and operation of crucial ICT systems in helping to mitigate against events that may be outside of an organisation’s control.

Areas of focus Keep up the regular training