3 minute read
Weak Cyber Security Lands Company in Court
IN A PRECEDENT SETTING JUDGMENT, THE FEDERAL COURT, RULED AGAINST A COMPANY OVER INADEQUATE CYBER “RISK MANAGEMENT SYSTEMS.” THE COMPANY WAS ORDERED TO PAY THE CORPORATE REGULATOR, ASIC, $750,000 IN DAMAGES.
THIS CASE IS A WARNING FOR ALL BOARDS THAT WEAK CYBER SECURITY MAY RESULT IN LEGAL CONSEQUENCES CARRYING SUBSTANTIAL FINANCIAL PENALTIES.
Advertisement
BACKGROUND
Over a period of six years, a Melbournebased company faced nine cyber security incidents. In many cases, criminals launched Business Email Compromise (BEC) attacks in which the company’s email systems were hacked.
Once inside its systems, hackers used company email addresses to send fake requests for money transfers to commercial partners. In one instance, this resulted in a $50,000 fraud.
WHAT IS BUSINESS EMAIL COMPROMISE?
BEC is now the most widely reported form of cyber-crime in Australia.
Last financial year, over 4,600 BEC incidents were reported to the Australian Cyber Security Centre. The average amount lost in a successful BEC attack exceeded $50,600 – a whopping 54% increase on the previous year.
BEC often involves criminals hacking into an email account belonging to a CEO or CFO, which is used to send fake messages to either commercial partners or Accounts Payable staff with instructions to process payments to a bank account controlled by the criminals. In other cases, attackers hack into supplier emails and manipulate the banking information in any attached invoices, so payments are redirected to bank accounts controlled by the criminals.
Given these risks, boards have a responsibility to implement systems that help mitigate cyber-threats such as BEC. ASIC is now firmly focused on boards that are not yet taking the threat of cybercrime seriously!
DOES ASIC HAVE YOU IN ITS SIGHTS?
Governance standards around cyber security are increasingly on ASIC’s radar. Of course, all directors and officeholders have an obligation to act in good faith in the best interests of their company in accordance with the Corporations Act. Now, ASIC is exercising its powers in relation to a company for failing to have adequate cyber risk management systems in place.
Whilst it may not be possible to reduce cyber security risk to zero, it is possible to materially mitigate the risk with adequate controls.
WHAT BOARDS NEED TO CONSIDER
As instances of cyber-attacks, such as BEC, increase exponentially, boards must be able to demonstrate to regulators and courts that they are adopting reasonable cyber risk mitigation standards.
And with BEC now impacting more Australian organisations than ever before, it’s not reasonable to process payments without first ensuring that you are protected from BEC attacks.
Australian organisations are particularly vulnerable to BEC due to a gap in payment verifications, whereby Australian banks can’t match a beneficiary Account Name with either the BSB or Account Number.
Knowing this, boards must have systems in place to plug the verification gap in order to enhance their resilience against BEC attacks.
Failing to do this could see ASIC haul an organisation before the courts!
HOW EFTSURE CAN HELP
Protecting your organisation from BEC is now easier than ever, thanks to Eftsure’s unique fraudtech solution. Our proprietary database aggregates verified banking data from over 80% of active Australian organisations. Whenever your Accounts Payable team processes outgoing EFT payments, the beneficiary details are matched against the records in the Eftsure database.
Mismatched payment records are flagged, giving you a chance to stop fraudulent or incorrect payments before it’s too late!
With Eftsure sitting on top of your accounting processes, your organisation can demonstrate that you have the systems in place to mitigate the growing risk of BEC.
Contact Eftsure for a full demonstration: get.eftsure.com.au/demo/
This article was supplied as part of a paid advertising package.
