The Australian Securities and Investments Commission (ASIC) just released its latest Corporate Plan, which outlines their “priorities over the next four years to achieve a fair, strong and efficient financial system for all Australians”.
The plan presents the strongest indication to date that ASIC has a real appetite and budget to enforce penalties against companies (and their directors) for negligence when it comes to managing cyber risk by literally stating they will be “taking enforcement action against our regulated population where there are egregious failures to mitigate the risks of cyber attacks and related governance failures relating to cyber resilience.”
For context, it is useful to analyse ASIC’s evolution in their approach in regulating cyber resilience over the past few years:
- 2015 – ASIC was already using the term “cyber resilience” back then, and has carried it through to today. However, they were talking about how they would “promote cyber resilience” and “improve awareness” while they “continue to monitor market developments”. In other words, these are softer in tone and not intended to indicate that there would be consequences.
- 2016 – A year later, they stated they would be “incorporating cyber resilience into our surveillances of entities” which would be done by “conducting quarterly surveys of a sample of market intermediaries on their cyber resilience policies and procedures”.
- 2017 – ASIC stated they would “focus on enhancing our regulated populations’ systems and controls by reviewing their arrangements for managing technology and operational risk, including governance and business continuity practices and cyber preparedness”.
- 2018 – ASIC outlined that they would be “reviewing our regulated populations’ risk management arrangements – e.g. the cyber resilience and technology controls of market infrastructure providers and market intermediaries” and “publishing a report on our monitoring and assessment of the technological resilience of market entities, and engaging with market entities to recommend improvements to their controls”. This report has since been released and was met with anticipation by the cybersecurity industry.
- 2019 – ASIC curiously took a hiatus, relatively speaking, from their cyber resilience focus in 2019. Cyber here consisted of “addressing technology, security and operational failures (e.g. implementing new market integrity rules on technology and operational resilience for market operators and participants of listed securities, and reviewing risk controls of market intermediaries)”, and “publishing a feedback report following consultation”.
- 2020 – ASIC’s focus could be summarised by one word: pandemic.
- 2021 – Cyber resilience was back with a vengeance in ASIC’s eyes, making it for the first time into the Chair’s opening message. They continued to “assess selected regulated entities’ cyber resilience and management of cyber risks (e.g. through self-assessments) and, as part of an ASIC-wide cyber working group, analyse responses” which resulted in another report (effectively an update to the report from 2019) released later that year. ASIC also actively communicated expectations to boards and sent letters to specific entities with key findings. Most importantly, 2021 was the first time ASIC made a point of stating that they would “investigate and take enforcement action against egregious instances of failure to adequately manage cyber risks”. ASIC wasn’t kidding around, and RI Advice found out the hard way.
Arguably the most important indicator of an entity’s ability to execute across its focus areas is the allocation of finances.
Looking at ASIC’s balance of spend, it has increased from $341M AUD in 2015 to $503M AUD in 2021. While the numbers aren’t yet in for 2022/2023, $446M AUD has been budgeted, although it is likely ASIC will spend closer to $500M AUD if past performance is any indicator.
The fact that ASIC has been able to spend more money over time is positive. What’s more interesting however, is the balance of ASIC’s spend across the following areas:
- Supervision & Surveillance
- Registry Licensing / Registration / Regulatory
- Policy Advice
- Industry Engagement
The most noticeable change over the years is in ASIC’s ability to enforce its regulations, increasing from $143M AUD in 2015, to $251M AUD this year, an increase of 75%.
In short, if ASIC says it’s going to enforce something, companies and their directors should believe it.
What does this mean for companies and directors today?
This year’s ASIC Corporate Plan is the first time that “cyber” has been mentioned in the Chair’s opening statement and also afforded its own dedicated section: Cyber and operational resilience.
For companies and directors, the section to focus on resides on page 11. To summarise, ASIC states that it will:
- Benchmark companies on cyber resilience through a survey.
- Actively monitor companies to ensure they maintain an acceptable level of cyber resilience.
- Work with other financial regulators to align regulation and actions.
- Update cyber resilience legal and compliance obligations that have not been changed since 2015.
- Support the implementation of whole-of-government cyber resilience initiatives (editor’s note: this is likely the SOCI Act in many cases).
- Partner with financial regulators on key cyber resilience initiatives.
- Monitor implementation of the expectations for industry in responding to a market outage on market resilience.
- Take enforcement action against the regulated population where there are egregious failures to mitigate the risks of cyber attacks and related governance failures relating to cyber resilience.
While these are eight important points, the main one to take notice of if you are a company, is the last point. ASIC made the same point in last year’s Corporate Plan, and proved they would take action by making an example of RI Advice.
As I noted in my analysis of ASIC’s spend, the budget allocated to enforcement has increased over the years. This year, 56.2% of their $446M AUD budget has been set aside to enforce their regulations.
ASIC is dead serious about enforcing cyber resilience across the industry. They’ve literally stated it, have federal court precedence of holding a company accountable, and the increased budget to continue enforcing cyber resilience across companies.
Companies of all sizes must take note: ASIC is no longer a “toothless tiger” when it comes to enforcing our duties as directors, executives, and professionals to protect our industry against cyber threats.