World Economic Forum and cyber security
By Greg Medcraft
Cyber security is one of the many big issues I have been discussing with leaders over the last few days at the World Economic Forum in Davos. It's on people's mind, not least because of this week's Yahoo data breach that affected more than 1 billion victims and the political fallout of the US presidential election.
But it's also a burning issue because leaders understand fundamentally that being able to make hundreds of thousands of transactions in a second and send masses of data globally in an instant means a reciprocal and marked increase in risk.
Even excluding the Yahoo breach, there has been significant growth in the number, sophistication and severity of global cyber attacks in the last few years. Between July 2015 and June 2016, CERT (the national Computer Emergency Response Team) responded to almost 15,000 cyber security incidents – 418 of which involved systems of national interest and critical infrastructure.
PricewaterhouseCoopers also found recently that 65% of Australian organisations experienced cyber crime in the last 24 months.
The way to combat this risk is through cyber resilience, that is, the ability to prepare for, respond to and recover from a cyber attack.
There are a number of ways a cyber attack might harm an organisation or a person, such as:
- integrity breaches – the manipulation of correct data;
- confidentiality breaches – theft of personal information;
- availability breaches – such as shutting down critical infrastructure and online services.
Cyber security is fundamentally important to all organisations that hold confidential information and it is critical to maintaining trust between the organisation and its customers.
Industry research shows that over 60% of customers would stop using a company’s products or services if a cyber-attack resulted in a known security breach. This would have a catastrophic impact on any business, even if the breach was temporary.
The very real threat – and consequences - of a cyber attack means organisations must address the issue fully. In fact, their preparedness must be a long-term commitment that has to be embedded in their very culture.
But resilience is different to just preventing or responding to an attack – it is also operating during and then recovering from an attack. Customarily, organisations have focused on protection. But to truly manage this risk it is vital companies better adapt to change, reduce exposure to risk, and learn from incidents when they occur.
The increasing incidence, complexity and reach of cyber-attacks can undermine businesses, destabilise fair, orderly and transparent markets and erode investor and financial consumer trust and confidence in the financial system.
As such, ASIC sees cyber attacks are a major risk for our regulated population. This risk is equally real for both large and small participants.
Our goal is to encourage improvements to cyber resilience for those entities operating in Australia’s financial markets, which will in turn lift the overall cyber resilience of our financial markets. However, we recognise this resilience may only be as strong as the weakest link. We recognise the practical limitations in the role we can play to lift cyber resilience in individual organisations.
So our approach is to work with our stakeholders to ensure there is awareness of their obligations, awareness of the evolving cyber threat landscape.
To raise awareness, ASIC published two key reports in this area.
In March 2015, we issued a Cyber Resilience Health Check that noted the obligations on directors and officers to discharge their duties with care and diligence extend to cyber security. However, many boards are still leaving it to their technology leaders to manage this threat.
And then in March 2016, we released a Cyber Resilience Assessment report into ASX and Chi-X. This report covers a range of topics including questions all boards should consider asking to ensure they are appropriately positioned.
For instance, are cyber risks an integral part of the organisation’s risk management? How often board review the cyber resilience program? Does the board the board need further expertise to understand the risk? What needs to occur in the event of a breach?
As the Yahoo incident has shown, the potential of cyber attacks for Australia and our critical infrastructure is unlikely to taper off.
ASIC urges all businesses to be aware of the cyber risks they face and take action to improve cyber resilience. The consequences of not doing so could well have grave implications for the integrity of our financial system.
This article originally appeared in The Australian newspaper on Friday 20th January 2017.
Greg Medcraft is chairman of the Australian Securities and Investments Commission.