ASIC warns directors to address third-party cyber risk or face enforcement action
19 October 2023
How can directors get comfortable on cyber matters?
What you need to know
- The Australian Securities and Investments Commission (ASIC) expects cyber risk management to be a top priority for all boards, and that includes the management of cyber risk arising from reliance on third-party providers.
- ASIC will take action against directors who fail to adopt adequate measures on the basis that they have not exercised care and diligence, as required under section 180 of theCorporations Act 2001(Cth).
- Directors often need to rely on the expertise of others regarding cyber matters, including the management of third-party cyber risk. In doing so, they must be able to demonstrate that any such reliance is reasonable in the circumstances.
- 而什么是合理的边界e reliance is fact-dependent, a robust third-party cyber security risk assessment process is essential to ensuring directors have the information they need to independently assess advice received from internal and external cyber experts.
ASIC's Chair delivers speech focusing on third-party cyber security risk
Thespeechdelivered by the ASIC Chair at the Australian Financial Review Cyber Summit (AFR Summit) is a timely reminder for all boards of the growing regulatory scrutiny of the management of cyber-risk, both generally and in particular arising from reliance on third parties.
In this respect, there are several key messages in the ASIC Chair's speech:
1cyber risk management must be a top priority for all boards and directors;
2third parties present a clear vulnerability in many organisations' cyber preparedness;
3a fundamental aspect of good cyber governance is the management of risks posed by reliance on third-party suppliers, such as software providers and critical data services; and
4directors that fail to ensure adequate measures are in place are at risk of potential enforcement action, in particular because they may have failed to exercise care and diligence under section 180 of the Corporations Act.
Third-party risks are not new but directors need to ensure they are independently engaging with that issue
The reality that corporations are exposed to weaknesses in the security posture of its third parties is not a novel concept and has been the subject of previous ASIC guidance and commentary. In ASIC's view, however, organisations are not doing enough in this space. In his speech to the AFR Summit, the ASIC Chair cited the results of ASIC's recent "cyber pulse survey", where 44% of respondents indicated that they did not manage third-party or supply chain risk.
Not all organisations will be in the same position, and indeed many will have mature models in place that are designed to identify, address and, where necessary, mitigate third-party cyber risk. That said, given the recent spate of high profile cyber breaches, several originating from third-party providers, it is important for all directors to turn their mind to whether they are doing enough to discharge their duties in this space.
Given the technical nature of cyber-related matters, particularly for large-scale organisations operating a complex IT architecture, directors will often need to rely heavily on the expertise of cyber functions and personnel in seeking to discharge their duties. This is particularly so for directors who do not have the necessary technical background and have limited cyber/IT literacy. Given the potential financial, legal and reputational repercussions of a successful cyber-attack, it is critical however that directors do not overstep the boundaries of what is "reasonable" in terms of their reliance on others.
What constitutes "reasonable" reliance has the potential to be a contentious issue in enforcement
The directors' duty to act with care and diligence under section 180 of the Corporations Act sets an objective test in determining the reasonableness (or otherwise) of a director's actions. This will take into account the responsibilities held by the director and the organisation's circumstances.
Section 189 deals with the reliance on information or advice provided by others. That section gives rise to a presumption that a director's reliance on "matters" (for present purposes, matters pertaining to cyber) is reasonable if the reliance is made:
1in good faith; and
2after making an independent assessment of the information or advice, having regard to the director's knowledge of the corporation and the complexity of its structure and operations.
Section 189 covers information or advice provided by:
3an employee who the director believes on reasonable grounds to be reliable and competent on the particular cyber matters being considered;
4a professional advisor or expert who the director believes on reasonable grounds has competence regarding the particular cyber matters; or
5another director, or a committee of directors (of which the director is not a member), where the particular cyber matters are within the director's or committee's authority.
It is, of course, never permissible for a director to blindly delegate responsibility and that basic principle is reflected in the conditions that must be met before the presumption of "reasonable reliance" is triggered in section 189.
We expect it would be relatively straight forward for a director to satisfy themselves that an employee and/or professional advisor/expert (see point 3 and 4 above) has the necessary competence to provide information or advice on cyber issues, including as to a third party's cyber security posture. This condition would presumably be satisfied if the director is receiving information or advice, for example, from a senior member of the organisation's cyber security division or an external consultant that has been specifically retained on the basis of its cyber expertise. Similarly, assuming an organisation has adequate cyber governance, it should be clear whether another director or a committee of directors (see point 5 above) has authority to provide information or advice on third-party cyber security risk issues.
相比之下,是否导演的问题is in a position to make an "independent assessment" of information or advice (see point 2 above) is, on its face, more likely to be open to debate. The regulator (and ultimately a Court) may reach the view, based on the "complexity of the structure and operations of the corporation", that a director should have done more in interrogating the information and advice received before (for example) accepting the cyber risks posed by a third-party supplier. The reasonableness of the director's actions will be highly dependent on the facts at hand, and that reality exposes a director to enforcement risk, particularly in the event of a successful attack where their actions (or inaction) will be closely scrutinised, often with the benefit of hindsight.
Third-party cyber security risk review processes are essential
To varying degrees, the consideration of all business risks at the board level involves directors having to make decisions on the basis of imperfect or incomplete information. That challenge, however, is often acute in the context of decisions relating to third-party cyber risk, particularly where directors need to assess the security posture of parties further down the chain with which the organisation does not have a direct relationship (e.g. contractors engaged by a third party).
What practical steps can be taken to mitigate the risk that a director is found to have unreasonably relied on others in accepting a third-party cyber risk? In short, the board and its directors should focus on establishing and maintaining a robust third-party cyber security risk process, and satisfying itself as to the flow and quality of information generated by that process.
Consistent with what constitutes reasonable reliance by a director under section 189, the law is not prescriptive as to what steps an organisation should take in terms of setting up such a process. As the ASIC Chair observed in his speech, "[m]easures taken should be proportionate to the nature, scale, and complexity of … [the] organisation – and the criticality and sensitivity of the key assets held".
While each organisation will need to assess what is appropriate in the circumstances, directors may want to consider the following when implementing a third-party cyber security risk review process, or when reviewing an existing process:
1assess the third party's materiality to the organisation (by considering the nature, scale and complexity of services they will provide, as well as the criticality and sensitivity of assets they willhandleand hold) and use this information to take a risk-appropriate approach to onboarding;
2evaluate the third party's security posture prior to onboarding, with a comprehensive security questionnaire;
3consider limiting use of third parties to those that align to or (where possible) are certified under a recognised cyber control framework. Examples of frameworks include ISO 27001 or the NIST Cybersecurity Framework. Directors should not, however, place too much reliance on such frameworks in place of scrutinising the efficacy of the controls that have actually been implemented by the third party;
4request to see the third party's available independent reports (security audits and security reviews), and independent review certifications (e.g. SOC 2, Type 2);
5use internal cyber experts and (where necessary) external cyber experts to support third-party risk assessments, validating information provided by third parties, identifying potential security risks and recommending mitigating actions, and having processes in place to ensure closure of control gaps by the third party;
6once third parties are onboarded, conduct regular and ongoing risk-based reviews, and request security attestations and access to ongoing independent reports, certifications and re-certifications;
7define risk-based limits/tolerances and processes to manage when a third party fails to comply with the agreed/expected security posture, and ensure processes are in place to manage offboarding if non-compliance continues;
8consider the use of third party risk assessment toolsets (for example, there are products that facilitate third-party risk assessments and ongoing third-party risk tracking, and there are others that provide ongoing monitoring of third parties' public-facing security attack surfaces and assign them a corresponding security score); and
9work collaboratively and build strong relationships with third parties, to get positive outcomes.
