1 minute read
THE LEGAL Tougher laws coming to combat cyber attacks
The corporate regulator Australian Securities & Investments Commission recently levied a record $15 million fine against a company, signalling a hard line against businesses that do not follow market disclosure laws.
ASIC deputy chair Sarah Court said the watchdog had originally sought a penalty of $1 million and 12year disqualifications for each of the directors of the logistics software company GetSwift, but the judge doubled the penalty to $2 million and disqualified one of the directors for 15 years.
Advertisement
The court found the software start-up had falsely claimed to investors it had made agreements with major clients including Amazon, but in reality they were only trials, or contemplating a trial.
These misleading claims led to GetSwift’s shares rising 800 per cent. The company has since gone into voluntary liquidation.
Business lawyer Christopher Morris at Stacks Law Firm said the punishment demonstrates ASIC and the courts are serious about clamping down on companies that breach continuous disclosure laws, including notifications of cyber attacks.
The federal government has announced it will also toughen laws over the next year to combat cyber attacks. This will include widening the types of businesses required to comply with cyber security measures, new cyber security obligations and standards across industry and government, and the new post of national cyber security co-ordinator.
The crackdown comes as University of Wollongong research found that only 11 of 36 cyber attacks against ASX-listed companies reported by the media were first reported to share market investors, as required by law.
The federal government’s Cyber and Infrastructure Security Centre requires businesses in telecommunications, defence, energy, financial services, food, water, hospitals, education and transport to implement critical infrastructure risk management programs.
Following the disastrous hack of Medibank and Optus, the aim is to ensure companies have installed adequate anti-cyber attack measures to protect the personal data they hold from being hacked.
CISC rules began on 17 February 2023 and must be implemented within six months. Companies will have to submit an annual report to CISC within 90 days of the end of the financial year, starting from 30 June 2024.
Cyber Security Minister Clare O’Neil said current cyber security laws will be strengthened by adding customer data and systems to the definition of critical infrastructure and give government authorities power to intervene in major data breaches.
Even tougher cyber laws are expected in the future and Mr Morris warned businesses will have to be on top of these changes, or they could face serious consequences.
“One financial services company which failed to have adequate cyber security installed as required under section 912A of the Corporations Act was recently fined $750,000,” Mr Morris said.
