About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Assisting on whole of government technology agreements November 2, 2017

Maddocks advised the Commonwealth Government’s Digital Transformation Agency (DTA) on its whole of government purchasing agreement with SAP. The DTA was set up in 2015 to assist government departments and agencies with digital transformation and … Continued

Latest News

Making waves: Maddocks advises on Manly Fast Ferry sale February 12, 2018

Monday 12 February 2018 Maddocks has advised the founders and operators of the Manly Fast Ferry on their divestment of the company to NRMA, Australia’s peak road association. The firm advised Richard and Will Ford, … Continued

Latest Article

Radio Refunds: How to avoid breaching your responsible lending obligations February 15, 2018

Background Major Australian retailer, Thorn Group, and its consumer leasing business, Radio Rentals, has agreed to refund almost $20 million to customers who entered into leases with the company following an ASIC investigation into breaches … Continued

Six point cyber security check list for company directors and board members

The Corporations Act 2001 requires company directors and officers to discharge their duties with care and diligence. In its Cyber Resilience: Health Check, the Australian Securities and Investments Commission (ASIC) has clearly articulated its position on cyber security and directors’ duties, stating:

  • it considers board participation important to promoting a strong culture of cyber resilience1
  • a failure to meet obligations to identify and manage cyber risks may, if you are a director or officer of a company, result in you being disqualified from your role.2

So where do you start?

Our ‘Six Point Cyber Security Check List’ is intended to provide a high level entry point for company directors and board members to design strategies to meet their legal obligations on cyber security.3

Six Point Cyber Security Check List

 Issue Strategy
 1. Has your organisation implemented the Australian Signals Directorate’s Top 4 Cyber Risk Mitigation Strategies? The Australian Signals Directorate (ASD) suggests that implementing its Top four mitigation strategies to protect your ICT system can address up to 85 percent of targeted cyber intrusions.
 2. Ask your CIO the Cyber Security Operations Centre’s Questions Senior Management Need to be Asking about Cyber Security:
  • What would a serious cyber incident cost our organisation?
  • Who would benefit from having access to our information?
  • What makes us secure against threats?
  • Is the behaviour of our staff enabling a strong security culture?
  • Are we ready to respond to a cyber security incident?
 3. Take the ASIC ‘Cyber Resilience Health Check’ ASIC’s Cyber Resilience: Health Check contains a number of ‘Health Check Prompts’ which provide useful guidance as to the questions directors and officers can ask in assessing their organisation’s awareness of and preparedness for cyber security issues.
 4. Does your organisation collect or handle personal information? If so is it compliant with the Privacy Act 1988 (Cth)? Does your organisation meet the legal requirement to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure? (Australian Privacy Principle (APP) no. 11)
 5. Does your organisation process card payments?  If so, is it (or its card payment processing service provider) compliant with the Payment Card Industry’s Data Security Standard (DSS): Requirements and Security Assessment Procedures?
 6. Is your organisation, your outsourced service providers and third party products used in your organisation compliant with applicable industry standards? For example, the ISO 27000 series of IT and cyber security standards published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). See ISO/IEC 27018:2014; ISO/IEC 27001:2015.

Need to know more?

Read our related article Six cyber security standards you need to know about if you are a company director or board member.

_________________

1. Cyber Resilience: Health Check (ASIC Report 429), para. 102, page 29.
2. Cyber Resilience: Health Check (ASIC Report 429), paras. 146 – 148, page 38.
3. For convenience, key references in this check list are hyperlinked to relevant source documents. For more detail, see our article ‘Six Cyber Security Standards you need to know about if you are a Company Director or Board Member’.

If you would like further information, please contact us.

Author
Sean Field web Sean Field | Special Counsel
T +61 3 9258 3397
E sean.field@maddocks.com.au

 

 

The Corporations Act 2001 requires company directors and officers to discharge their duties with care and diligence. In its Cyber Resilience: Health Check, the Australian Securities and Investments Commission (ASIC) has clearly articulated its position on cyber security and directors’ duties, stating:

  • it considers board participation important to promoting a strong culture of cyber resilience1
  • a failure to meet obligations to identify and manage cyber risks may, if you are a director or officer of a company, result in you being disqualified from your role.2

So where do you start?

Our ‘Six Point Cyber Security Check List’ is intended to provide a high level entry point for company directors and board members to design strategies to meet their legal obligations on cyber security.3

Six Point Cyber Security Check List

 Issue Strategy
 1. Has your organisation implemented the Australian Signals Directorate’s Top 4 Cyber Risk Mitigation Strategies? The Australian Signals Directorate (ASD) suggests that implementing its Top four mitigation strategies to protect your ICT system can address up to 85 percent of targeted cyber intrusions.
 2. Ask your CIO the Cyber Security Operations Centre’s Questions Senior Management Need to be Asking about Cyber Security:
  • What would a serious cyber incident cost our organisation?
  • Who would benefit from having access to our information?
  • What makes us secure against threats?
  • Is the behaviour of our staff enabling a strong security culture?
  • Are we ready to respond to a cyber security incident?
 3. Take the ASIC ‘Cyber Resilience Health Check’ ASIC’s Cyber Resilience: Health Check contains a number of ‘Health Check Prompts’ which provide useful guidance as to the questions directors and officers can ask in assessing their organisation’s awareness of and preparedness for cyber security issues.
 4. Does your organisation collect or handle personal information? If so is it compliant with the Privacy Act 1988 (Cth)? Does your organisation meet the legal requirement to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure? (Australian Privacy Principle (APP) no. 11)
 5. Does your organisation process card payments?  If so, is it (or its card payment processing service provider) compliant with the Payment Card Industry’s Data Security Standard (DSS): Requirements and Security Assessment Procedures?
 6. Is your organisation, your outsourced service providers and third party products used in your organisation compliant with applicable industry standards? For example, the ISO 27000 series of IT and cyber security standards published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). See ISO/IEC 27018:2014; ISO/IEC 27001:2015.

Need to know more?

Read our related article Six cyber security standards you need to know about if you are a company director or board member.

_________________

1. Cyber Resilience: Health Check (ASIC Report 429), para. 102, page 29.
2. Cyber Resilience: Health Check (ASIC Report 429), paras. 146 – 148, page 38.
3. For convenience, key references in this check list are hyperlinked to relevant source documents. For more detail, see our article ‘Six Cyber Security Standards you need to know about if you are a Company Director or Board Member’.

If you would like further information, please contact us.

Author
Sean Field web Sean Field | Special Counsel
T +61 3 9258 3397
E sean.field@maddocks.com.au