Insight,

Cybersecurity,

Lessons for organisations and boards in the wake of ASIC’s November 2023 cyber pulse survey

29 November 2023

Our People
AU | EN
Current site :    AU   |   EN
Australia
EN |
Singapore
EN |

Tell me in 30 seconds 

Regulated organisations have been warned to address significant gaps in their cyber security and resilience following ASIC’s latest cyber pulse survey. The results of the survey indicates that many organisation are not cyber mature and are reactive rather than proactive in managing cyber security. To mitigate the risk of regulatory action, organisations should focus on improving their management of supply chain risks, on protecting their confidential information, on developing effective risk governance frameworks and on developing and testing their cyber incident response plans.

Context

In November 2023, the Australian Securities Investment Commission (ASIC) released its report on its most recent cyber pulse survey (the Report). The Report exposed deficiencies in Australian organisations’ cyber security risk management, highlighting a tendency for organisations to adopt a reactive, rather than proactive, approach to managing their cyber security.

In response to the findings, ASIC issued a stern warning, urging regulated organisations to address the “significant gap” in their cyber security and resilience. This is not an isolated warning - ASIC Chair Joe Longo recently stated that the regulator is prepared to take action against directors who fail to adopt adequate measures on the basis that they have not met their fiduciary duty to exercise care and diligence. The regulator has made it clear that effective cyber risk management should be a top priority for boards.

In light of these warnings, the Report offers useful guidance on what is expected of organisations and their leadership in relation to cyber security and cyber resilience. A failure by a regulated organisation to address the matters raised by ASIC in this report could ground an ASIC claim that the directors of the organisation have failed to exercise appropriate care and diligence.

This insight outlines our key lessons for regulated organisations and boards based on the findings in the Report.

Four key lessons

Lesson 1: Actively manage supply chain risks

The vulnerability of organisations to the security weaknesses of third-party vendors has been a focal point of previous ASIC guidance and commentary. It has made it clear that organisations are not doing enough in this space, with 44% of survey respondents indicating that they do not manage supply chain risks.

While some organisations have mature models in place to mitigate third-party risk, the recent surge in high-profile cyber breaches originating from third-party providers should prompt directors to reassess whether they are doing enough to fulfil their duties in this space.

While what is required to discharge one’s duties will depend on the particular organisational circumstances, boards should ensure their organisations consider the following to ensure they are taking reasonable actions to manage supply chain risk: 

Risk assessment and due diligence
  • Conduct a thorough risk assessment to identify potential cybersecurity risks associated with third party suppliers.
  • Implement a due diligence process for evaluating the cybersecurity practices of potential and existing suppliers.
Contractual agreements
  • Include cybersecurity obligations in third party contracts and implement continuous monitoring and incident response protocols.
Monitoring and auditing
  • Implement regular monitoring and auditing processes to assess the cybersecurity posture of third-party suppliers.
Scenario planning
  • Conduct simulated cyber-attack exercises to evaluate the effectiveness of cyber incident response plans with third parties and prepare for potential cybersecurity incidents.

Lesson 2: Protect and encrypt confidential information

Data is increasingly recognised as the most valuable and complex asset held by organisations.  Alarmingly, a substantial two-thirds of survey respondents admitted to having limited or no capacity to protect their confidential information. Inadequate data strategies have given rise to greater data-related risk for organisations. Despite the ongoing accumulation of large volumes of data, organisations struggle to implement robust encryption measures for newly acquired data and often overlook the essential process of reviewing and deleting outdated legacy data when required. In many cases, boards lack adequate oversight of what data their organisation holds, and the risks associated with that retention. This is a concern echoed by the Federal Government’s discussion paper to the 2023-30 Cyber Strategy, which emphasised the need for stronger practices to protect the widespread collection of customer data.

While implementing effective data protection and retention practices is no easy feat, directors will be expected to establish appropriate oversight of management’s efforts in these areas and ensure that data practices are well-defined, monitored and prioritised. In particular, organisations should consider matters including the following to protect their data: 

Data encryption
  • Establish Data encryption policies that mandate encryption of high risk confidential information both in transit and at rest.
  • Use robust encryption algorithms and industry-recognised encryption standards to protect confidential information.
  • Implement management practices to generate, store and distribute encryption keys securely.
Prevent unauthorised transmission
  • Data leakage solutions that monitor and prevent unauthorised transmission of confidential information and configure policies to detect and block confidential information.
  • Implement network segmentation to restrict movement of confidential information.
  • Implement file transfer protocols and solutions for sharing confidential information within and outside the organisation. 
Data destruction management
  • Develop and enforce a data retention policy that specifies how long data should be retained and when it should be securely destroyed.
  • Use secure data destruction methods appropriate to the data type and media.
  • Establish data destruction procedures for secure disposal of data.
  • Conduct regular audits and inspections of data destruction processes to verify effectiveness.

Lesson 3: Develop effective risk governance frameworks using cyber security strategies

While directors may not need to have an in-depth understanding of complex digital subjects, being properly advised, and understanding their organisation’s key cyber risks is critical. ASIC’s survey results revealed that some organisations are not doing enough to develop their risk frameworks, with 20% of organisations yet to adopt a cyber security standard. The responsibility for ensuring that an organisation designs, implements and monitors an effective cyber strategy and risk governance framework ultimately lies with the board.

Cybersecurity standards and frameworks are available to assist organisations to develop risk frameworks that identify, manage and mitigate cyber risks. However, it is not enough to have a plan in place; they must be tested regularly alongside ongoing reassessments of cyber security risks. In line with these principles, organisations should consider the following good practice recommendations:

Develop cyber strategies and risk governance frameworks
  • Develop a cyber strategy and risk governance framework that identifies, manages and mitigates key cyber risks.
Adopt cyber security standard
  • Engage a cyber security expert to evaluate the organisations key cyber risk.
  • Implement an appropriate security standard. 
Understand risk environment
  • Understand the organisation’s key cyber risks, including the main threat actors, their motivations, what they are targeting and the potential business impact of an attack. 
Ongoing monitoring
  • Regularly monitor and assess the organisation’s cyber strategy, risk governance framework and risk tolerance.

Lesson 4: Develop, implement and test cyber incident response plans

Central to any effective cyber risk framework is a comprehensive incident response plan capable of addressing both current and future risks. Of the organisations surveyed, 33% did not have a cyber incident response plan, and 35% failed to regularly test their existing plans. It falls upon senior management to develop, implement, and monitor an organisation's incident response plan. Within this plan, roles and responsibilities for management, IT, legal, compliance, and the board must be clearly defined to ensure a coordinated and effective response to cyber threats. Organisations should consider the following matters in relation to their cyber incident response plan:

Leadership and sponsorship
  • Ensure there is executive leadership sponsorship of the cyber incident response plan.
  • Ensure roles and responsibilities are clearly defined.
Incident classification
  • Establish a clear classification system for potential incidents based on severity and impact with clear criteria to define each classification level.
Incident detention and reporting
  • Develop clear procedures for containing incidents.
  • Define isolation measures and strategies for removing threats.
  • Establish a communication that outlines who should be informed during an incident.
  • Ensure compliance with data breach notification obligations.
Incident response plan testing
  • Conduct tabletop exercises or simulated incident scenarios regularly.
  • Consider engaging a third party to independently assess the effectiveness of the cyber incident response plan. 
Categories

Meet The Authors

Latest Thinking
Insight
Bendel: Commissioner ‘A loan’ in view that UPE was a loan for Division 7A purposes
The long-awaited High Court decision in Bendel has arrived!

12 June 2026

Insight
Queensland goes all in on critical minerals: Key changes under the SDPWO Amendment Bill 2026
Queensland has fired the legislative starting gun in the race for critical minerals investment.

05 June 2026

Insight
The forfeiture rule and superannuation death benefits: emerging issues for trustees
While the forfeiture rule is a longstanding position in law, its application to superannuation is not always clear.

05 June 2026

Explore Latest Thinking
Our People
Media Centre
About Us
Contact Us
Explore Our Expertise
Explore insights

Advertising and Targeting Cookies