ASIC chair Joe Longo has warned regulated businesses of the dangers of relying on third-party partners for their own security, singling out third-party suppliers, vendors, and managed service providers as “one of the weakest links” in organisations’ cyber resilience.
Longo, in an address to the AFR Cyber Summit this week, warned that businesses, ultimately, have next to no control over the security of a third-party service provider. However, their own third-party data management practices also leave much to be desired.
Citing a to-be-released Cyber Pulse survey conducted by the corporate regulator, Longo revealed that nearly half of those regulated entities surveyed indicated that they did not manage third-party or supply chain risk.
Further, more than half of respondents said they had limited or no capability to protect confidential information adequately – whether that information is held within the organisation or by third-party suppliers.
Almost half of the respondents to the survey also indicated failures to effectively classify data, revealing an inability to identify critical information and business-critical systems.
He stressed that information that is not identified before an attack ultimately “cannot be protected”.
Noting the substantial fallout for businesses and consumers resulting from indirect cyber hacks, Longo drew attention to the Latitude Financial hack, which directly hit one of the group’s third-party data holders.
Despite Latitude maintaining around three million direct customers, the systems breach affected around 14 million people in total (including those who had previously held accounts with Latitude but no longer do).
He also drew attention to the Optus and Medibank data loss events, which he said were ‘wake-up calls’ for many Australian companies. In the space of just four months in 2022, this spate of data breaches affected the equivalent of nearly half (47 per cent) the Australian population, according to data from the Office of the Australian Information Commissioner (OAIC).
“The financial, legal, and reputational consequences of such attacks can be devastating for an organisation,” Longo said.
He also cited the attack on a third-party data holder connected to fund manager Perpetual, where data from around 45,000 Perpetual clients was leaked from a unit registry system.
“Understandably, an increasing number of businesses rely on third parties for software and critical data services.
“If those third parties are compromised, the confidentiality of personal and business data is put at risk,” Longo said.
The ASIC chair warned of a ‘disconnect’ between several key elements of cyber risk management, including in boards’ oversight of cyber risk, the management reporting of cyber risk to boards, the management identification and remediation of cyber risk, how cyber risk assessments are made, and how cyber risk controls are implemented.
“This disconnect must be addressed,” Longo said, warning that they are directly tied to firms’ regulatory obligations.
“Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties.
“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could mean failing to meet your regulatory obligations.”
Reducing third-party risk
Longo set out three priorities to help organisations reduce cyber risk.
Firstly, he warned organisations to never just “set and forget” their security controls.
“Never make the mistake of subscribing – consciously or unconsciously – to the ‘vaccination theory’ of cybersecurity. This is the belief that you’ve done everything you need to do, and you don’t need to worry anymore. That just isn’t true.”
“It’s not enough to sign a contract with a third-party supplier – you need to take an active approach to managing supply chain and vendor risk. Setting it and forgetting it, does not, cannot, and will not work.”
Secondly, he warned organisations to continuously plan and test for attacks.
“Boards and directors must ask themselves: Do they know how they would communicate with their customers, regulators, and the market when things go wrong? Do they have a clear and comprehensive response and recovery plan? Has it been tested?
“How will the company detect if the system has been broken, or exploited? History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility.”
He further warned that incident response plans and testing programs, “if [they are] to be truly comprehensive… must include third-party suppliers and vendors”.
“Simply having the plan isn’t enough – it needs to be tested, and it needs to be tested regularly. This will ensure you’re able to respond quickly in the event of a cyber incident.”
Thirdly, and finally, he addressed the problem of under-classification.
“[If]… information isn’t identified before an attack, it can’t be protected,” Longo said.
“Just as any country preparing against potential invasion must identify key strategic resources to be protected, so too an organisation must identify the most critical information they hold so it can prioritise its protection.
“This becomes even more essential if a third party is managing critical systems or holding information.”