The Corporations Act 2001 requires company directors and officers to discharge their duties with care and diligence. In its Cyber Resilience: Health Check, the Australian Securities and Investments Commission (ASIC) has clearly articulated its position on cyber security and directors’ duties, stating:
- it considers board participation important to promoting a strong culture of cyber resilience1
- a failure to meet obligations to identify and manage cyber risks may, if you are a director or officer of a company, result in you being disqualified from your role.2
So where do you start?
Our ‘Six Point Cyber Security Check List’ is intended to provide a high level entry point for company directors and board members to design strategies to meet their legal obligations on cyber security.3
Six Point Cyber Security Check List
|1.||Has your organisation implemented the Australian Signals Directorate’s Top 4 Cyber Risk Mitigation Strategies?||The Australian Signals Directorate (ASD) suggests that implementing its Top four mitigation strategies to protect your ICT system can address up to 85 percent of targeted cyber intrusions.|
|2.||Ask your CIO the Cyber Security Operations Centre’s Questions Senior Management Need to be Asking about Cyber Security:||
|3.||Take the ASIC ‘Cyber Resilience Health Check’||ASIC’s Cyber Resilience: Health Check contains a number of ‘Health Check Prompts’ which provide useful guidance as to the questions directors and officers can ask in assessing their organisation’s awareness of and preparedness for cyber security issues.|
|4.||Does your organisation collect or handle personal information? If so is it compliant with the Privacy Act 1988 (Cth)?||Does your organisation meet the legal requirement to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure? (Australian Privacy Principle (APP) no. 11)|
|5.||Does your organisation process card payments?||If so, is it (or its card payment processing service provider) compliant with the Payment Card Industry’s Data Security Standard (DSS): Requirements and Security Assessment Procedures?|
|6.||Is your organisation, your outsourced service providers and third party products used in your organisation compliant with applicable industry standards?||For example, the ISO 27000 series of IT and cyber security standards published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). See ISO/IEC 27018:2014; ISO/IEC 27001:2015.|
Need to know more?
Read our related article Six cyber security standards you need to know about if you are a company director or board member.
1. Cyber Resilience: Health Check (ASIC Report 429), para. 102, page 29.
2. Cyber Resilience: Health Check (ASIC Report 429), paras. 146 – 148, page 38.
3. For convenience, key references in this check list are hyperlinked to relevant source documents. For more detail, see our article ‘Six Cyber Security Standards you need to know about if you are a Company Director or Board Member’.
If you would like further information, please contact us.
|Sean Field | Special Counsel
T +61 3 9258 3397