ASIC report 429 provides a very comprehensive overview of the Cyber Risk and Security landscape and contains practical advice on what steps organisations need to take to improve their “Cyber Resilience”.
Within the report it states that “any business that interacts over electronic networks or the internet, or is reliant on third-party technology vendors and suppliers, carries a risk of exposure”. In today’s inter- connected business world this means all of us. In this regard ASIC is putting its stake in the ground on what it believes businesses needs to be doing to respond accordingly.
In Report 429, ASIC highlight all regulated entities have legal and compliance obligations that require those organisations to review and update their cyber and risk management policies. If you are a licensee then this obligation is strict and you must have in place adequate risk management systems and resources.
Appendix 2 of the report provides detailed information on the obligations of each type of regulated entity and references the specific piece of legislation / code or regulatory guide which governs these obligations. It contains references to 17 different types of regulated entities including corporations, listed entities, AFS licensees and market licensees amongst others.
To put all of this in some perspective ASIC included this little sample of statistics in its Report 429 to jolt us all into taking the issue of cyber security very seriously:
- In 2013, cyber attacks affected 5 million Australians at an estimated cost of $1.06 billion.
- the total number of cybersecurity incidents detected in 2014 was 42.8 million, an increase of 48% from 2013
- More problematic is that an estimated 71% of incidents go undetected
- The estimated annual cost of cyber attacks to the global economy is more than $400 billion.
- In 2013, over 552 million identities were compromised through cyber attacks, putting a range of personal information—including credit card details, birth dates, government identification numbers, medical records, financial information, email addresses and passwords—into the criminal realm.
Appendix 1 of Report 429 also provides a concise snapshot of the various sources of cyber risk and the consequential threat they present to your business..
In the overview of ASIC Report 429, ASIC provide a detailed Health Check Prompt list which is a useful introduction into a cyber risk management framework based on the internationally recognised US National Institute for Standards and Technology.
The issue for most boardrooms and business owners is identifying a practical way to not only introduce and implement these practices into the business but also have them institutionalised as part of an ongoing and continuous improvement process.
ASIC advocate organisations adopt the globally recognised US National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) as a potentially useful cyber resilience resource. NIST is widely recognised as the global benchmark for cyber resilience and cyber risk management best practice.
The NIST Cyber Security Framework is built upon 5 concurrent and continuous functions:
- Identify: Develop the organisational understanding to manage cybersecurity risk to systems, assets, data and capabilities
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
At NWC Insurance we specialise in developing an integrated risk based approach to cyber security. Our approach is based on the NIST Framework and is an essential tool in facilitating the continuous risk framework advocated by NIST.
Prioritising Cyber Risk Implementation
According to The Australian Signals Directorate, 85% of the cyber intrusions the ASD responds to involve unsophisticated techniques that could have been a avoided by using the following 4 techniques:
Australian Signals Directorate - Essential Risk Mitigation Techniques
- Application Whitelisting
- Patch Applications
- Patch operating system vulnerabilities
- Restriction of administrative privileges
These risk mitigation controls form a part of our baseline approach. We also place a significant weighting on the human factor associated with a cyber-attack as the statistics continue to demonstrate this is a major cause in respect of cyber-attacks.
Depending on your businesses risk profile we then prioritise further Risk Management Techniques to mitigate the risk of a cyber-attack on your business. Our risk control framework consists of 127 separate risk mitigation techniques across 3 levels of risk mitigation:
- Level A - Minimum level of compliance required to protect your organisation
- Level B - Significant level of risk improvement controls
- Level C - Attainment of best practice approach to Cyber Risk Governance
The Road to Good Governance
This approach provides our clients with a risk control framework which provides the foundation of good Cyber governance. This good governance is now an obligation which is placed on all companies under ASIC regulatory guidelines, the Privacy Act and the soon to be introduced Mandatory Reporting Requirements concerning data breaches.