this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

Update on access to LIV member facilities.

For details, see our 

COVID-19 Hub
Select from any of the filters or enter a search term

Regulators cracking down on cyber risks

Regulators cracking down on cyber risks

By Karin Derkley



Directors who fail to address cyber security risks as a key part of their governance role are putting their organisation at risk and may attract the scrutiny of regulators, according to a new report on cyber security.

The MinterEllison report "Perspectives on Cyber Risk 2021" found that regulators including ASIC and the ASX have increased their scrutiny and enforcement action in relation to privacy, data protection and governance.

Regulators have been signalling action for many years and ASIC has now identified "deterrence-based enforcement action" as one of its critical cyber supervisory projects for 2021, MinterEllison partner Paul Kallenbach said.

"Woe betide any director who doesn’t consider this to be a top five risk for the organisation – the risk is prevalent and increasing and regulators are watching," he said.

A positive finding of the MinterEllison report is that awareness of cyber risk has increased substantially among the director community. "Six years ago, we were imploring those at the top of organisations to take notice of this issue – it is now expected that cyber risk has a high profile at board level," Mr Kallenbach said.

MinterEllison found that more organisations are testing their data breach response plans, with 55 per cent of survey respondents indicating that their data breach response plans were being tested at least annually, compared with 34 per cent last year.

But more still needs to be done to protect against cyber attacks, the report found. Organisations most likely to have a tested data breach response plan are larger organisation that have previously dealt with cyber attacks.

It should not take a cyber attack to put in place or test a data breach response plan, Mr Kallenbach said. "Unfortunately, the most effective lever to persuade an organisation to test its data breach response plan is for it to suffer a serious cyber risk incident. Such an incident will take a company from having a plan to testing that plan."

Individuals remain the prime targets of cyber attacks, the report found, with 70 per cent of incidents arising from phishing attacks, and a further 17 per cent of incidents involving invoice fraud. Just 13 per cent of incidents arose due to technical forms of attack, such as DDoS (Distributed Denial of Service) attacks.

The shift to remote working due to COVID-19 had increased cyber security risks, the survey found, with 40 per cent of survey respondents saying they faced increased cyber security risks .

MinterEllison advises organisations and their boards to:

  • develop a thorough understanding of their supply chain, including their key vendors’ IT security and operational postures to mitigate against the introduction of weak links.
  • build for resilience in the procurement and operation of crucial ICT systems to mitigate against events that may be outside an organisation’s control.
  • keep up a regular program of security training and awareness to address the human factor in cyber incidents.
  • consider joining an industry group or forum to share intelligence regarding cyber risk and evolving cyber threats.

Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment