Is ASIC the new cyber security regulator?

Wednesday, 04 November 2015

An ever increasing risk to businesses is that presented by cyber security incidents. In the current landscape, there are almost daily media reports of new cyber attacks.

Because cyber attacks often involve a compromise of personal data, the relevant regulator for such risks in Australia has frequently been regarded as the Privacy Commissioner (sitting within the Office of the Australian Information Commissioner (OAIC)). Indeed, a number of recent cyber hacking incidents, including Sony Playstation, Adobe, AAPT and Cupid Media, have been the subject of OAIC "own motion" investigations and subsequent findings.

With significant amendments to the Privacy Act 1988 (Cth) taking effect in March 2014, new powers were given to the Privacy Commissioner in relation to enforcement of privacy and data protection obligations. Those powers include the ability to apply to the courts for a civil penalty in the event of a serious or repeated interference with the privacy of individuals and the ability to accept an enforceable undertaking from an entity.

Since the introduction of those new powers, no civil penalties have yet been sought by the OAIC and there have been just two instances of enforceable undertakings given to the OAIC1. Moreover, the OAIC has had to battle on in the face of decreased funding and a stated intention by the Federal Government to disband the Office2.

ASIC and its cyber priorities

However, in the face of those uncertainties as to the OAIC's ongoing role, another regulator has emerged in recent months as taking an increased interest in cyber risk - the Australian Securities and Investments Commission (ASIC).

In March of this year, ASIC released its Cyber Resilience: Health Check in which it highlighted that cyber resilience was not just a matter of good practice but also a matter of compliance with specific legal obligations. ASIC thereby signalled an increased interest in exercising its regulatory scrutiny in relation to cyber risk management (see our article here).

In its Corporate Plan 2015-16 to 2018-19 released in August this year, ASIC again highlighted its interest in cyber risk regulation and stated that cyber resilience would be one of ASIC's key priorities for the next three years. This approach was reiterated in a speech given on 24 September 2015 by ASIC Commissioner John Price in which Mr Price indicated that cyber resilience was one of the critical issues that keeps him awake at night!

Consistent with ASIC's role of protecting investors and regulating markets, it sees the "increasing incidence, complexity and reach of cyber attacks" as a matter that can "undermine businesses and destabilise our markets, eroding investor and financial consumer trust and confidence in the financial system and the wider economy".

ASIC says its focus in relation to cyber risks will be on:

  • promoting cyber resilience;
  • identifying potential cyber attacks in our markets through real-time market monitoring; and
  • ensuring compliance with licensing obligations, including the need for adequate technological resources and risk management arrangements, and disclosure obligations.

As to how it intends to promote cyber resilience, ASIC says it will:

  • improve awareness of cyber resilience, and increase the profile of the issues;
  • incorporate cyber resilience in its surveillance, particularly for those ASIC regulates that provide critical services such as financial market infrastructure;
  • coordinate and engage with other Government departments to identify cyber risks and build cyber resilience; and
  • continue to monitor market developments.

Potential use of enforcement powers

In the Corporate Plan, ASIC goes so far as to say that it will respond to cyber threats through enforcement action, accepting enforceable undertakings or issuing infringement notices where ASIC identifies wrongdoing, for example, "deal[ing] with cases where companies and issuers disclosure provides insufficient information on cyber threats".

Perhaps a foretaste of ASIC's potential use of its enforcement powers is a recent regulatory action by the Securities and Exchange Commission (SEC) in the United States against an investment advisory firm for poor cyber security practices. The SEC settled charges against the adviser for breaching federal securities laws which required registered investment advisers to adopt written policies and procedures to protect customer records and information, the SEC alleging no such policies or procedures were adopted. The firm's web server suffered a hacking incident in July 2013, leaving the personal information of more than 100,000 individuals vulnerable to theft. The firm agreed to a penalty of US$75,000 notwithstanding no clients having suffered financial harm.

The SEC's action is an early example of a securities and corporate regulator using the powers it has available to it to enforce cyber risk management, a step that ASIC has signalled it may well take going forward.

Continuous Disclosure Obligations

One area in particular where ASIC may have a role to play is with respect to disclosure to the stock market of cyber attacks affecting listed companies3.

In its March 2015 Cyber Resilience report, ASIC noted that continuous disclosure obligations of listed entities to disclose market-sensitive information to the market may include disclosures about cyber attacks. ASIC gave a clear indication to directors and officers that they "need to consider how and when a cyber attack may need to be disclosed as market-sensitive information".

Some have queried the extent to which cyber incidents truly do constitute market-sensitive information. Speaking at the Australian Information Security Association National Conference in early October 2015, Daniel Grzelak, head of security intelligence at Atlassian, stated that the impact on share price in data breach situations was "often minimal and often very short term" and that "Wall Street doesn't care about data breaches in the long term".

However, it seems there certainly is potential for a cyber incident of sufficient seriousness to affect a company's share price. Moreover, ASIC has given a clear indication that listed entities will need to actively consider possible disclosures about certain cyber attacks4.

More companies appear now to be including in their annual reports, and other releases to investors, a generic description of the entity's general exposure to cyber risk arising from the ordinary use of digital technologies. However, we expect this is likely to be insufficient disclosure in circumstances of actual cyber incidents of significance.

Conclusion

ASIC is now increasingly speaking of cyber risk management as a matter of legal obligation and, in its recently released Corporate Plan, this way of looking at cyber risk has been allocated a front row seat in ASIC's strategic priorities for the next three years. ASIC says it will use enforcement action if necessary.

Accordingly, businesses need to be vigilant when it comes to managing their cyber risk, not only to protect their business but also to ensure they are complying with their legal obligations and to avoid potential regulatory action. Businesses should also consider the purchase of cyber insurance to protect against the potential cost of responding to such regulatory action.

Article written by Andrew Miers, Partner and Matthew Hunter, Senior Associate.

_______________________________________________________________________________________________________________________________________

1Those enforceable undertakings were given by SingTel Optus and TeleChoice.

2See the Privacy Commissioner's speech on that subject here.

3This is a separate matter to the question of disclosure of a data breach to affected individuals. In that regard, there is currently a voluntary "Data breach notification guide" issued by the OAIC which strongly recommends providing notice of a data breach to the OAIC and to affected individuals where there is a real risk of serious harm. Moreover, as recently as 13 October 2015, the Attorney-General George Brandis, speaking in the Senate, reiterated that the government intends to introduce legislation enacting a mandatory data breach notification scheme before the end of this year.

4Again, looking to the United States, the SEC has issued guidance on when companies may need to give disclosure to investors of cyber risks and cyber incidents.

 

Disclaimer: This article is not intended to be a substitute for obtaining legal or other expert advice and no responsibility is accepted for any action taken as a result of any material in this article. Information and advice relating to your specific commercial dealings can be obtained by contacting HWL Ebsworth Lawyers.