The corporate watchdog is considering its enforcement role for cyber security and AI
ASIC is examining its regulation and enforcement role for cyber security and artificial intelligence as the technology spreads and vulnerabilities emerge.
The role of directors and how effectively companies manage fallout from breaches is being examined by the Australian Securities and Investments Commission as it considers its role enforcing and regulating cyber security.
And ASIC is also working to understand how banks and insurers are using artificial intelligence.
While cyber is not a 2024 enforcement priority, ASIC deputy chair Sarah Court told The Australian it was an area of interest – particularly through the lens of directors’ duties.
“Given the nature of the information a company may hold about people, we will look at whether the company should have been doing more to protect that information,” she said.
“Once a breach has occurred, we will also look at the response. How has the company dealt with people that are affected, how quickly have the communications got out, how quickly has it reacted to shut its system down?”
The regulator will examine what role a company’s leadership played during and following of a cyber attack, Ms Court said.
“We are interested in the governance and the duties of directors and senior executives. Does the conduct or the failure to respond in a way that people expect constitute a breach of the directors’ duties obligations?” she said.
A number-high profile Australian cyber breaches have led to sensitive consumer information being released online.
In 2022, Australia’s second biggest telco, Optus, was hacked and personal data, including passport numbers, birth dates, names and addresses of up to 10 million customers, was leaked.
The last year Optus experienced a major network outage but the company failed to hold a press conference on the day of the failure or provide regular updates. The two crises led former chief executive Kelly Bayer Rosmarin to resign.
As well, private health insurer Medibank was hacked in 2022 and sensitive information of about nine million Australians was stolen.
In the aftermath of the attack, Russian hackers published details such as pregnancy terminations and mental health data to the dark web.
ASIC conducted an inaugural, voluntary self-assessment of corporate Australia’s cyber resilience and last year released a report that “exposed deficiencies in cyber security risk management” practices. It found companies were reactive to attacks rather than proactive.
The results showed 44 per cent of participants did not manage third-party or supply chain risks and 58 per cent of participants said they had limited or no capability to protect information adequately.
Discussing artificial intelligence, Ms Court said that as the technology had rapidly progressed in the past 12 months, ASIC was taking a “very keen interest” in trying to understand the role and impact of AI across the economy.
“From our perspective, we’re looking at how is AI being used by the sector we are regulating. By banks or by insurers, is it being used in a fair way? Can the companies explain how it is being used,” she said.
“Let’s say you’ve got an insurance claim that’s being denied using AI. We want to know who is responsible for that.
“What factors have been taken into account and the point that we’ve been making is that the company has to be able to explain how AI is being used and how results are eventuating.”
Ms Court said the regulator needed to ensure companies cannot absolve themselves of liability for unlawful conduct “by saying, ‘Oh, well, it wasn’t us. It was this machine – it wasn’t really us’.
“So the governance around AI and how it’s used in relation to consumers in particular, again, is something we’re taking a very keen interest in.”
More Coverage
AusSuper backs White ‘demotion’ as WiseTech shares soar
The second largest external shareholder in WiseTech says the firm has a strong ‘long-term value’ proposition and Richard White was right to step down into a $1m a year consulting role.
Is Benny Scarf the most controversial identity in racing?
The 23-year-old has whipped up a social media frenzy around his betting stunts on Instagram but behind it is a business strategy to get as much attention as possible and for the money to follow.