Boards need to know about the Essential 8
What should a company Board understand about the Essential 8?
Introduction
Boards, Responsible Managers and Compliance Managers of Australian Financial Services Licence (‘AFSL’) holders need to be aware of the emerging challenges around cyber security. The leaders of the business should be continuously building their knowledge and awareness of cyber risks to their funds and investment management operations.
The Australian Securities and Investments Commission (‘ASIC’) has been supporting AFSL holders by providing guidance relating to emerging cyber issues in conjunction with the Australian Signals Directorate (‘ASD’).
A recent ASIC guidance note called Cyber Resilience Good Practices provides a great starting point for Boards, Responsible Managers and Compliance Managers of AFSL holders to better understand cyber risk.
One of the key points provided by ASIC in their guidance to assist navigate cyber risk is to understand the ‘Essential 8’.
Who is the ASD?
The ASD is a statutory agency within the Australian Government’s Defence Portfolio with functions established by the Intelligence Services Act. ASD is an integral member of Australia’s national security community and works across the operations required of modern day signals intelligence and security agencies. This includes intelligence, cyber security and offensive cyber operations in support of the Australian Government and the Australian Defence Force.
What are the Essential 8?
The ASD has developed strategies to mitigate cyber security incidents. These strategies have been developed to help organisations protect themselves against various cyber threats. The ASD states that the most effective of these mitigation strategies are the Essential 8.
The Essential 8 have been designed to protect organisations’ internet-connected information technology networks.
The principles behind the Essential 8 may be applied to enterprise mobility and operational technology however the Essential 8 were not designed for these purposes and alternative mitigation strategies may be more appropriate to defend against unique cyber threats to these environments.
Boards should take proactive measures and implement controls for cyber risks
Boards should be taking proactive measures and implementing controls for cyber risks, characterised by implementation of the ASD strategies to mitigate targeted cyber intrusions.
As a starting point, Board’s should learn about the ASD’s Essential 8 strategies to mitigate risk relating to targeted cyber incidents. In an AFSL setting, the AFSL holder should consider instituting the mitigation strategies that constitute the ASD Essential 8:
Patch applications - Application Control: Restricting the execution of unauthorised or malicious software.
Patch operating systems - Patching Applications: Regularly updating software to address security vulnerabilities.
Multi-factor authentication - Requiring users to provide multiple forms of identification to access systems.
Restrict administrative privileges - Limiting the number of users with administrative access to systems.
Application control - Restricting the execution of unauthorised or malicious software.
Restrict Microsoft Office macros - Configuring Microsoft Office Macro Settings: Managing the use of macros in Microsoft Office documents to prevent malicious code execution.
User application hardening - Configuring applications to minimise their attack surface and potential impact.
Regular backups - Creating and maintaining regular backups of important data and systems.
Essential 8 and relevance to ASIC
Boards should take note that ASIC is referring to the Essential 8 in their current cyber guidance. AFSL Boards should consider that ASIC is expecting AFSL holders to incorporate the Essential 8 into their proactive measures and controls for cyber risks.
Conclusion
The AFSL holder’s Board is responsible for cyber resilience and for understanding the Essential 8.
ASIC guidance suggests that boards should take ownership of cyber strategy and ensure the strategy is reviewed on a periodic basis to assess progress against the success measures outlined in the firm’s overall IT strategy. The ownership of cyber strategy should also be supported by a qualified Responsible Manager.
Many AFSL Boards we see, do not have a Director or Responsible Manager that is a knowledgeable IT governance professional.
If you are a board that is not as familiar with cyber resilience as you believe you should be, please contact me to discuss how I can assist your board with regular reporting and review of your IT strategy to maintain compliance of your AFSL’s cyber security and IT capabilities.