ASIC warns directors to address third-party cyber risk or face enforcement action
19 October 2023
19 October 2023
The speech delivered by the ASIC Chair at the Australian Financial Review Cyber Summit (AFR Summit) is a timely reminder for all boards of the growing regulatory scrutiny of the management of cyber-risk, both generally and in particular arising from reliance on third parties.
In this respect, there are several key messages in the ASIC Chair's speech:
1 cyber risk management must be a top priority for all boards and directors;
2 third parties present a clear vulnerability in many organisations' cyber preparedness;
3 a fundamental aspect of good cyber governance is the management of risks posed by reliance on third-party suppliers, such as software providers and critical data services; and
4 directors that fail to ensure adequate measures are in place are at risk of potential enforcement action, in particular because they may have failed to exercise care and diligence under section 180 of the Corporations Act.
The reality that corporations are exposed to weaknesses in the security posture of its third parties is not a novel concept and has been the subject of previous ASIC guidance and commentary. In ASIC's view, however, organisations are not doing enough in this space. In his speech to the AFR Summit, the ASIC Chair cited the results of ASIC's recent "cyber pulse survey", where 44% of respondents indicated that they did not manage third-party or supply chain risk.
Not all organisations will be in the same position, and indeed many will have mature models in place that are designed to identify, address and, where necessary, mitigate third-party cyber risk. That said, given the recent spate of high profile cyber breaches, several originating from third-party providers, it is important for all directors to turn their mind to whether they are doing enough to discharge their duties in this space.
Given the technical nature of cyber-related matters, particularly for large-scale organisations operating a complex IT architecture, directors will often need to rely heavily on the expertise of cyber functions and personnel in seeking to discharge their duties. This is particularly so for directors who do not have the necessary technical background and have limited cyber/IT literacy. Given the potential financial, legal and reputational repercussions of a successful cyber-attack, it is critical however that directors do not overstep the boundaries of what is "reasonable" in terms of their reliance on others.
The directors' duty to act with care and diligence under section 180 of the Corporations Act sets an objective test in determining the reasonableness (or otherwise) of a director's actions. This will take into account the responsibilities held by the director and the organisation's circumstances.
Section 189 deals with the reliance on information or advice provided by others. That section gives rise to a presumption that a director's reliance on "matters" (for present purposes, matters pertaining to cyber) is reasonable if the reliance is made:
1 in good faith; and
2 after making an independent assessment of the information or advice, having regard to the director's knowledge of the corporation and the complexity of its structure and operations.
Section 189 covers information or advice provided by:
3 an employee who the director believes on reasonable grounds to be reliable and competent on the particular cyber matters being considered;
4 a professional advisor or expert who the director believes on reasonable grounds has competence regarding the particular cyber matters; or
5 another director, or a committee of directors (of which the director is not a member), where the particular cyber matters are within the director's or committee's authority.
It is, of course, never permissible for a director to blindly delegate responsibility and that basic principle is reflected in the conditions that must be met before the presumption of "reasonable reliance" is triggered in section 189.
We expect it would be relatively straight forward for a director to satisfy themselves that an employee and/or professional advisor/expert (see point 3 and 4 above) has the necessary competence to provide information or advice on cyber issues, including as to a third party's cyber security posture. This condition would presumably be satisfied if the director is receiving information or advice, for example, from a senior member of the organisation's cyber security division or an external consultant that has been specifically retained on the basis of its cyber expertise. Similarly, assuming an organisation has adequate cyber governance, it should be clear whether another director or a committee of directors (see point 5 above) has authority to provide information or advice on third-party cyber security risk issues.
In contrast, the question of whether the director is in a position to make an "independent assessment" of information or advice (see point 2 above) is, on its face, more likely to be open to debate. The regulator (and ultimately a Court) may reach the view, based on the "complexity of the structure and operations of the corporation", that a director should have done more in interrogating the information and advice received before (for example) accepting the cyber risks posed by a third-party supplier. The reasonableness of the director's actions will be highly dependent on the facts at hand, and that reality exposes a director to enforcement risk, particularly in the event of a successful attack where their actions (or inaction) will be closely scrutinised, often with the benefit of hindsight.
To varying degrees, the consideration of all business risks at the board level involves directors having to make decisions on the basis of imperfect or incomplete information. That challenge, however, is often acute in the context of decisions relating to third-party cyber risk, particularly where directors need to assess the security posture of parties further down the chain with which the organisation does not have a direct relationship (e.g. contractors engaged by a third party).
What practical steps can be taken to mitigate the risk that a director is found to have unreasonably relied on others in accepting a third-party cyber risk? In short, the board and its directors should focus on establishing and maintaining a robust third-party cyber security risk process, and satisfying itself as to the flow and quality of information generated by that process.
Consistent with what constitutes reasonable reliance by a director under section 189, the law is not prescriptive as to what steps an organisation should take in terms of setting up such a process. As the ASIC Chair observed in his speech, "[m]easures taken should be proportionate to the nature, scale, and complexity of … [the] organisation – and the criticality and sensitivity of the key assets held".
While each organisation will need to assess what is appropriate in the circumstances, directors may want to consider the following when implementing a third-party cyber security risk review process, or when reviewing an existing process:
1 assess the third party's materiality to the organisation (by considering the nature, scale and complexity of services they will provide, as well as the criticality and sensitivity of assets they will handle and hold) and use this information to take a risk-appropriate approach to onboarding;
2 evaluate the third party's security posture prior to onboarding, with a comprehensive security questionnaire;
3 consider limiting use of third parties to those that align to or (where possible) are certified under a recognised cyber control framework. Examples of frameworks include ISO 27001 or the NIST Cybersecurity Framework. Directors should not, however, place too much reliance on such frameworks in place of scrutinising the efficacy of the controls that have actually been implemented by the third party;
4 request to see the third party's available independent reports (security audits and security reviews), and independent review certifications (e.g. SOC 2, Type 2);
5 use internal cyber experts and (where necessary) external cyber experts to support third-party risk assessments, validating information provided by third parties, identifying potential security risks and recommending mitigating actions, and having processes in place to ensure closure of control gaps by the third party;
6 once third parties are onboarded, conduct regular and ongoing risk-based reviews, and request security attestations and access to ongoing independent reports, certifications and re-certifications;
7 define risk-based limits/tolerances and processes to manage when a third party fails to comply with the agreed/expected security posture, and ensure processes are in place to manage offboarding if non-compliance continues;
8 consider the use of third party risk assessment toolsets (for example, there are products that facilitate third-party risk assessments and ongoing third-party risk tracking, and there are others that provide ongoing monitoring of third parties' public-facing security attack surfaces and assign them a corresponding security score); and
9 work collaboratively and build strong relationships with third parties, to get positive outcomes.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 19 October 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.