Cyber Risk Management

By the end of the year a mandatory data breach notification scheme will be introduced in Australia. The metadata of many organisations is commercially sensitive and poses both security and privacy issues if this information falls into the hands of cyber pirates.

ASIC has issued a major cyber resilience report. A cyber attack occurs when computer systems, networks and technology dependent enterprises are deliberately utilized for illegitimate ends. Organisations need to develop cyber resilience, which is the ability to prepare for, and respond to, a cyber attack. But organisations need to also be capable of continuing their operations during a cyber attack or to at least be rapidly able to recover. The result hoped to be achieved by cyber risk management and cybersecurity measures is cyber resilience.

ASIC’s Report 429 Cyber resilience: Health Check¬†highlights to investors and markets that the ability to prepare, respond, adapt and recover from a cyber attack is vital for the markets to retain financial consumers’ trust and confidence.

The integrity and efficiency of global markets can be easily compromised by a cyber attack because of the electronic linkages within the financial system. The ASIC report suggests businesses flag relevant legal and compliance requirements, especially on disclosure and risk management.

ASIC suggests businesses should consider using the United States’ NIST Cybersecurity Framework for checking on cyber risk management practices. The NIST Framework is a voluntary, technology-neutral cyber risk management tool for organisations. It uses a common language to manage cyber risk and is based on assessments of company resources, risk tolerances and business requirements.

The ASIC report aims to assist businesses improve their cyber resilience by increasing awareness of cyber risks, encourage industry and government to work together to achieve cyber resilience and to identify how cyber risks should be addressed in accordance with ASIC’s jurisdiction in relation to current legal and compliance obligations. ASIC considers that it is an appropriate part of its role as the regulator of corporations, markets, financial services and consumer credit to incorporate cyber resilience in its surveillance programs.