Mr Longo said boards of directors generally understood cyber was a risk, but the challenge was determining what was an appropriate level of investment to minimise the risk of an intrusion.
“That will vary with the size of the business, the nature of the business, what advice they’re getting about the systems they should have in place,” he said.
Mr Longo said ASIC could not pre-emptively tell a company the investments they needed to make.
“If things go wrong, ASIC will be looking for whether they took reasonable steps and made reasonable investments proportionate to the risks that their business poses to defend themselves from this kind of attack,” he said.
Mr Longo signalled there was no imminent action planned against the directors of Optus and Medibank Private.
“I think at this stage the major priority has to be to encourage boards and to remind them of the obligations in this area,” he said.
The Federal Court last year ruled that RI Advice, a financial planning licensee formerly owned by ANZ and now part of Insignia Financial, breached the financial licence law by failing to protect against nine cyberattacks that put confidential client data at risk.
“It’s a condition of your licence to have systems and processes to deal with this risk,” Mr Longo said.
The court found RI Advice had a number of inadequate risk management practices across its network, including some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices.
Inadequacies in its cybersecurity risk management led to a number of cyber incidents affecting clients in the six-year period to May 2020.
In her judgment, Justice Helen Rofe made it clear that cybersecurity should be front of mind for all AFS licensees.
She acknowledged that while ‘[i]t is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls…’
There has been a surge in the number of data breaches that have garnered public attention since last year. As well as Optus and Medibank, companies including Vinomofo, MyDeal, Australian Clinical Labs, and another local Singtel subsidiary, Dialog, have also revealed they have suffered breaches of varying levels of complexity.
ASIC is not the primary cyber regulator.
The federal government’s Australian Cyber Security Centre, based within the Australian Signals Directorate, provides advice and information about how to protect businesses online and provides advice to individuals, businesses and critical infrastructure operators when there is a cyber incident.
The Australian Cyber Security Centre received more than 76,000 cybercrime reports in 2020-21.
The centre reported a rise in the average cost per cybercrime report to more than $39,000 for small businesses and $88,000 for medium-sized businesses.