Article Details

Australia to build six 'cyber shields' to defend its shores. Local corporate regulator warns boards that cyber is totally a directorial duty. Australia will build "six cyber shields around our nation" declared home affairs minister Clare O'Neill yesterday, as part of a national cyber security strategy. Detailed in a speech before a summit on cyber security, the strategy's six "shields" comprise: All of the above is scheduled to be in place by 2030, when O'Neill expects Australia to lead the world in all things cyber. O'Neill wasn't the only senior Australian leader speechifying on Monday. Joe Longo, chair of corporate regulator the Australian Securities and Investments Commission (ASIC), warned the nation's boards to get serious about infosec. "Cyber security and resilience are not merely technical matters on the fringes of directors' duties," he argued. “ASIC expects directors to ensure their organization's risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience." Then came the warning: "Failing to do so could mean failing to meet your regulatory obligations." That's a serious sentence. Failure to carry out directors' duties in Australia can leave board members liable for losses, or subject to civil or even criminal penalties. Longo advised directors "never make the mistake of subscribing – consciously or unconsciously – to the 'vaccination theory of cyber security." "This is the belief that you've done everything you need to do, and you don't need to worry anymore. That just isn't true. It's not enough to sign a contract with a third-party supplier – you need to take an active approach to managing supply chain and vendor risk. Setting it and forgetting it, does not, cannot, and will not work," he opined. He also called for boards and directors to develop crisis plans to communicate with customers, regulators, and the market when things go wrong – plus a "clear and comprehensive response and recovery plan." "It's worth highlighting that any incident response plan, if it is to be truly comprehensive, must include third-party suppliers and vendors," he added, and called for the same inclusive approach to incident response testing so that all participants are drilled in advance. The chair also noted that "nobody guards what they don't have," and cited data from an ASIC survey that found almost half of respondents "indicated they don't identify critical information and business critical systems." "Just as any country preparing against potential invasion must identify key strategic resources to be protected, so too an organization must identify the most critical information it holds so it can prioritize its protection." Doing so is "even more essential if a third party is managing critical systems or holding information," he concluded.