In a recently published report by American cybersecurity and compliance company Proofpoint titled ‘Cybersecurity: The 2023 Board Perspective’, the sentiment from just under 60% of participating Australian board members is that they feel unprepared to cope with a targeted attack. This is despite over 80% of participating Australian board members viewing cybersecurity as a priority and believing they have invested adequately in cybersecurity.
This disconnect between board members’ awareness of cyber-risks versus their perceived readiness to deal with cyber-attacks needs to be carefully considered by all boards, particularly given the highly publicised data breaches over the past two years, including Australian Clinical Labs (February 2022), Optus (September 2022), Medibank Private (October 2022) and Latitude Financial Services (March 2023).
The belief that cybersecurity is a priority aligns with the results of the Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey 2023 (ACAPS 2023) (released in August 2023). The results showed that:
ACAPS 2023 also disclosed that:
Meanwhile, OAIC’s Annual Report for 2022-23 (released in October 2023) revealed that OAIC:
The view that organisations need to be better prepared to handle cybersecurity threats is also shared by the authorities.
At the Financial Services Institute of Australasia The Regulators event held in early November 2023, APRA chair John Lonsdale said that cybersecurity was a key focus and warned that many of the big firms regulated by APRA were not doing enough to protect consumers. He further confirmed that many entities were still struggling with foundational issues, ensuring third party control, making sure security control testing is in place and regularly testing incident response plans.
In addition, the Reserve Bank of Australia Assistant Governor (Financial System) Dr Brad Jones said that the entity is responsible for third party risks introduced through using a third party and managing such risks appropriately. He said this was particularly true in the information technology area, where financial institutions cannot absolve themselves of ultimate responsibility for customer security and privacy by outsourcing IT functions. Dr Jones also referenced the importance of organisations carefully managing associated risks and upgrades associated with ageing infrastructure.
In the landscape of expanding regulatory powers, organisations must continue to educate their employees and executives to not only meet existing cyber-compliance obligations but to be confident in their ability to appropriately handle any cyber-breaches and to minimise the harm caused to customers.
If you require support with cyber-protection planning, contact Partner Iain Freeman or Special Counsel Stephanie Tan to discuss how we can assist.