ASIC to target boards, execs for cyber failures

“I can assure you that in the right case ASIC will commence proceedings if we have reason to believe those steps were not taken.”

The Summit will also hear Home Affairs Minister Clare O’Neil outline her aspiration to stop companies selling products they know to be cyber insecure, one of six planks in a platform that will form the bedrock of the government’s Cybersecurity Strategy.

Mr Longo and Ms O’Neil will tell the conference the hacks of telco giant Optus and health insurer Medibank last year were a wake-up call. At the time, Ms O’Neil accused Optus of leaving “the window open” for hackers to steal personal data, the sort of activity ASIC will now be targeting.

Mr Longo will say all boards should insist on a demonstrable risk-management plan.

Giving the most detailed insights into her aspirations for the Cybersecurity Strategy to date, Ms O’Neil will unveil six “cyber shields”.

In addition to pushing businesses to stop selling cyber-insecure products, the strategy will focus on ensuring individuals and small businesses are well-educated on the basics of cybersecurity; facilitating partnerships between key actors, including government, telcos and banks; and hardening essential infrastructure such as water, energy and healthcare systems.

Other areas include improving sovereign capability by fostering local enterprise and skills; and working closely with other governments around the world who are facing common adversaries.

“These shields will help protect our businesses, our organisations and our citizens,” Ms O’Neil will say. “It will mean that we have a cohesive, planned national response.” Detail about each shield will be released later this year.

This month the Office of the Australian Information Commissioner released statistics showing there were 409 data breaches between January and June, and the Australian Bureau of Statistics has said at least one in five businesses were breached by hackers last year.

Mr Longo will say cyber preparedness is not simply a question of having impregnable systems.

“That’s not possible,” he says. “Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cybersecurity incident.”

Details about fines or punishments for failing to prepare for a cyberattack are largely absent from the speech, but the ASIC website warns its enforcement actions will incur “significant penalties”.

Whether any of the recent high-profile cyber breaches to hit Australian organisations should attract ASIC’s ire remains unclear. Optus and Medibank kept independent reviews of their breaches private, and law firm HWL Ebsworth took the extraordinary step of getting a NSW Supreme Court gag order to stop media discussion about the extent of clients’ data stolen by Russian-linked hackers in April.

Taking responsibility

The Australian Prudential Regulation Authority did hand Medibank a punishment of sorts in June, when it ruled the insurer must set aside $250 million as insurance against issues associated with its data breach.

ASIC has taken court action only once before, in 2022 against financial services firm RI Advice, which was ordered to pay $750,000 by the Federal Court.

RI Advice had suffered numerous cyber incidents between 2014 and 2020, including one where hackers had access to several thousand clients’ files undetected for five months.

In an apparent pushing of responsibility on to companies, Mr Longo will tell businesses not to blame third-party suppliers if they get hacked, a position that goes against recent remarks by Cybersecurity Minister Ms O’Neil.

Last week, she suggested tech firms could soon be on the hook if their products are breached.

She told a forum at the National Security College that software and device vendors such as Microsoft, Apple, Google and Amazon needed to take responsibility for the digital safety of their products, in what she said needed to be a “mindshift change”.

“We would not allow an unsafe car seat to be sold in our country. We’ve spent a generation trying to make sure that people who design these products, make them safe to use,” Ms O’Neil said.

Mr Longo, however, will say that it is down to companies to ensure they account for risks across their digital supply chains.

Latitude Financial’s hugely damaging data breach in March originated through an external provider – understood to be US technology services giant DXC Technology – which ran some of its systems as an outsourced provider. Crown Resorts was also breached in March due to a hack of the GoAnywhere software it uses to transfer files.

“So many businesses rely on third parties for software and critical services. This reliance means potential access to confidential data and other critical resources if those third parties are breached,” Mr Longo will say. “This is a serious weakness.”

Government oversight of businesses’ cyber protection has come under greater focus in the last year, with the appointment of Air Marshal Darren Goldie as a new national cybersecurity coordinator, based in the Home Affairs Department.

In February Australian organisations deemed as running infrastructure critical to the country’s national interest were told they will have to increase their investment in cybersecurity protection to comply with new national security requirements, with the measures estimated to cost companies almost $10 billion combined.

Both Ms O’Neil and Mr Goldie will speak at Monday’s Cyber Summit.