The Australian Securities & Investments Commission (ASIC) released a report called ‘Cyber Resilience: Health Check’ in March of this year, outlining a number of approaches that can be taken to improve cyber resilience.
If you are an entity regulated by ASIC, you actually have legal and compliance obligations requiring you to review and update your cyber risk management practices. Not only could you be leaving your business exposed to risk – you could be in breach of legal requirements.
ASIC defines cyber resilience as “the ability to prepare for, respond to and recover from a cyber attack. Resilience is more than just preventing or responding to an attack—it also takes into account the ability to adapt and recover from such an event.”
The eight ‘Health Check Prompts’ outlined by the report ask if you have considered…
- If your board and senior management are aware of your cyber risks?
You are encouraged to review the level of board and senior management oversight of your cyber risks, including how frequently risks are updated.
- Assessing your organisation against the NIST Cybersecurity Framework?
This framework assists you in determining your current capabilities, setting goals and establishing a plan to improve and maintain cybersecurity.
- What information or business assets are essential to your organisation?
This may include intellectual property, people or personnel information, financial information, trade secrets, strategic assets or information. It is useful to maintain an inventory of these and catalogue them according to level of risk exposure.
- What cyber risks are you exposed to?
A cyber risk assessment could involve identifying cyber risks, measuring and communicating those risks internally and prioritising and implementing measures to mitigate the risks.
- The cyber resilience of vital third party providers or clients?
You may consider reviewing the cyber risk management of third parties critical to your business continuity – including the cyber risks of outsourcing arrangements or cloud-based services.
- If cyber risks are well integrated into your normal business risk management and procedures?
You may want to assess whether you have adequate arrangements to identify, protect, detect, respond and recover from cyber risks, and whether these form part of overall risk management, governance and business process change practices.
Read more on the legal implications of maintaining adequate cyber resilience in the ASIC report.
Cyber breaches in Australia are increasing at an alarming rate. Learn how to develop cyber resilient processes, improve your protection and detection of vulnerabilities and integrate a whole of business approach at the Building Cyber Resilience Conference taking place in August. Book before June 26th to save $400.