In an era where cyberattacks can bring even the biggest companies to their knees, the Australian Securities and Investments Commission (ASIC) is upping its game.
For SMEs, this crackdown means directors and executives can no longer afford to take a back seat on cybersecurity.
ASIC Chair Joe Longo and his organisation have made it clear that corporate boards will face serious consequences if they fail to protect their companies from cyber threats. There are penalties, including hefty fines and even prison terms (though that’s unlikely, says The Australian Financial Review) for serious breaches.
Cyber Washing and Empty Promises
A significant part of ASIC’s focus is on preventing what they call “cyber washing” – companies giving empty promises of cybersecurity without showing actual, effective action.
This means your business can’t just say, “We’ve got it covered” without substantiation.
Boards must prove they’re doing all they can to prevent cyberattacks. ASIC is making it clear that the days of leaving cybersecurity solely to the IT team are over – cyber security is now a board-level responsibility.
Why This Matters to SMEs
You might be thinking, “This sounds like an issue for big corporates, not us,” but SMEs aren’t off the hook. Cyber incidents such as the Optus and Medibank breaches show that no business is safe from hackers.
Cyberattacks often target SMEs because hackers see them as easier pickings with fewer resources dedicated to cybersecurity. For example, more than six in 10 SMEs are victims of cyberware attacks.
Failing to act could result in huge financial losses, plus legal trouble if your board is found to have neglected its duty.
How Are Boards At Risk?
For boards, your aim is to protect your business and individual board members, too.. If ASIC finds that a board hasn’t taken cybersecurity seriously, directors could be personally liable.
Penalties that boards and directors may face include:
- Civil penalties (up to $1.565M for individuals and more significant for companies based on the breach severity under the current Corporations Act 2001, S.180)
- Disqualification
- Compensation orders, as well as
- The fallout from reputational damage.
But it’s not just ASIC that’s watching – clients, suppliers, and employees expect businesses to take their cybersecurity seriously. If your company suffers a breach, expect the fallout to be devastating.
Is the Punishment Too Severe?
There’s been some debate over whether ASIC’s tough stance might do more harm than good. Some industry leaders, such as Qantas chairman John Mullen, have argued that harsh penalties could discourage businesses from being open about their cybersecurity efforts and mistakes.
If boards are worried about being penalised, they might be less inclined to share valuable insights about dealing with breaches. This could hamper progress in the fight against cyberattacks.
What Can Your SME’s Board Do?
So, what does this mean for your SME? It’s clear that cybersecurity needs to be a priority for your board. Directors should be asking tough questions about your company’s cybersecurity measures:
- Are you regularly updating your systems?
- Do you have an incident response plan in place?
- Is there enough budget allocated to cybersecurity?
These are the types of questions ASIC expects your board to answer and they’re keen for not just words, but for evidence.
To bolster your strategy, check out resources, such as the business.gov.au website, the Australian Cyber Security Centre, and the Cyber Security Handbook for small business and not-for profit directors.
How Insurance Can Help
A key approach to managing the risks is through cyber insurance. Having the right insurance in place can give you some peace of mind if your business experiences a cyberattack.
Policies can vary quite a bit, though. Ensure your policy covers the specific risks your business faces. That’s where we, as your insurance broker or adviser, come in.
We’re on your side, working with you to tailor a policy that fits your business, so you’re not left exposed if the worst occurs. With ASIC cracking down, having the right coverage in place is essential. It also means regularly reviewing your policy coverage.
On the horizon
Cybersecurity will increase in importance as technology evolves and cyber threats become more sophisticated. ASIC’s crackdown signals a new era of accountability for businesses of all sizes.
Aim to be proactive, from implementing robust cybersecurity measures to making sure you’ve got the right insurance to cover them if something goes wrong. We’re here to help.