What next for cyber resilience?

Cyber threats facing Australasian businesses are growing in scale and complexity. What was once largely an issue for IT professionals is now a crucial consideration for all of us. Lawyers are no exception. Toby Gee and Oliver Tapper report

Businesses are increasingly recognising cyber security and cyber resilience requires active and vigilant engagement by the board and senior executive team, and should not be restricted to the IT department. With the introduction of mandatory data breach legislation in Australia expected later in 2016, it’s never been more important for all levels of an organisation to turn their attention to cyber risk and how their organisation might be vulnerable.
 
So where is cyber security and resilience heading, and how does a lawyer’s role fit into the picture?
The World Economic Forum lists cyber attacks as among the top five risks in terms of a combination of probability and impact. And in 2015, PWC reported that cyber risk is the top concern for insurers in Australia.
 
In addition to detection problems, a further difficulty in measuring the incidence of cyber crime is that due to the sensitive reputational issues surrounding a data breach or cyber attack, many cyber attacks go unreported: As Una Jagose, acting head of New Zealand’s Government Communications Security Bureau recently said, it is concerning that in a recent survey of major businesses in Australia, 43% of respondents said they did not report cyber incidents as they saw no benefit in doing so. It can be inferred that published data are probably a significant underestimate of the true prevalence and cost of cyber events.
 
The statistics demonstrate that cyber security incidents continue to be common and recurrent for Australasian businesses.
 
However, despite these risks, many Australasian businesses are neither confident in their information securities nor have cyber security strategies in place. In New Zealand, for example, 56% of businesses have reportedly been attacked at least once in the past year. Yet only 65% of New Zealand businesses are confident that their information technology systems are effective. And globally, Grant Thornton reports that only about half of the businesses surveyed (52%) in their International Business Report said they currently have a cyber security strategy in place.
 
Australasian regulatory response In the face of such significant risks, the governments of Australia and New Zealand are increasingly taking steps to protect and guide businesses, including through resilience guidelines, the expected mandatory reporting of data breaches, beefing up national systems to address cybercrime, and promoting national and international co-operation between regulatory bodies and industry.
 
The Office of the Australian Information Commissioner (OAIC), for example, recommends that all organisations governed by the Privacy Act 1988 (Cth) should have a data breach response plan in place, as doing so will assist an organisation in meeting its obligations under Australian Privacy Principle (APP) 11 (which requires an organisation to take ‘all reasonable steps to protect the information it holds’). A data breach response plan should set out a business’s organisational and procedural framework for managing a data breach, and the response plan should be tested regularly.
 
In 2015, the OIAC also released the ‘Guide to securing personal information’, which provides further guidance on what constitutes ‘reasonable steps’ under APP 11. While the guide is not legally binding, the OIAC will refer to it when undertaking Privacy Act functions, including when investigating whether an organisation has complied with its personal information security obligations or when undertaking an assessment. In short, the guide emphasises the importance of managing and protecting personal information during the stages of its lifecycle. The information lifecycle involves the following steps:
 
1 Consider whether to collect information – i.e. whether it is necessary to collect and hold personal information in order to carry out an organisation’s functions.
 
2 Privacy by design – how are personal information protection and handling procedures embedded in an organisation’s practices and policies?
 
3 Assessment of risks associated with the collection of personal information due to a new process or change to an existing process, or as business as usual.
 
4 Taking appropriate steps and implementing strategies to protect personal information held by an organisation.
 
5 Destruction or de-identification of personal information when it is no longer required.
 
The Australian Securities & Investments Commission (ASIC) is also supporting businesses in their efforts to improve cyber resilience, including through the publication in 2015 of the report “Cyber Resilience: Health Check”. The report contains guidance for small to medium sized businesses as well as large organisations such as banks and major infrastructure providers. ASIC sets out a number of key regulatory and compliance matters, including that a cyber attack may trigger Corporations Act breach reporting requirements, such as that a cyber attack may need to be disclosed as market sensitive information; the expectation that officers of an organisation may need to consider cyber risks when discharging their duties to consider risk management issues; and that the board should be actively engaged in managing cyber risks.
 
Importantly, the Australian Government has also committed to introducing a mandatory data breach notification scheme, and is currently inviting public comment on the draft Bill before introducing legislation later this year. The Bill would require government agencies and businesses subject to the Privacy Act to notify the OIAC and affected individuals following a serious data breach, or when there are reasonable grounds to believe that such a breach has occurred. Where it would not be practicable to notify each affected individual, the organisation would need to publish a public notice (i.e. on its website), and take reasonable steps to publicise the notice (for example, through a social media post).
 
What businesses should focus on
Part of the response from the government and professional organisations to cyber threats is to help educate boards, executives and others about how to respond to cyber risks (both before and after a cyber event).
 
The Australian Government recommends four key mitigations for businesses, which it says may reduce vulnerability to cyber attack by up to 80%:
 
Application ‘white-listing’: Allow only a defined list of applications to run on a network.
 
Patching system vulnerabilities: Computer system vendors constantly release operating system versions containing new patches to address vulnerabilities as they are discovered.
 
Patching application vulnerabilities: Similarly, applications like Java, PDF viewers, Microsoft Office release patches which should be installed.
 
Restricting administrative privileges to operating systems in accordance with the user’s duties.
 
Steps to improve cyber security include improving IT-related steps as above. But they also include addressing employee risks such as the need to train employees in how to be vigilant in relation to passwords, confidentiality of data and scam emails; reducing the quantity of any marketable data held by the business, and the period for which it is held, to reduce the attractiveness of the business as a target; and including cyber security checks and terms in contracting with suppliers.
 
How can lawyers assist businesses?
Lawyers play a key role in cyber resilience, which should enable them to participate actively, not merely after cyber events, but also in helping to increase the cyber resilience of the Australasian business community, and also cyber security – at least in relation to non-IT aspects of cyber security.
 
Lawyers can assist their clients by ensuring that they:
 
Are fully compliant with relevant regulatory regimes in relation to the protection of data held by them or their third party service providers.
 
Understand what cyber threats their organisation is vulnerable to, including assisting the organisation to identify and understand the potential impact that a cyber security incident could have on the organisation’s business operations, reputation, profitability and intellectual property.
 
Have a data breach response plan in place, which clearly sets out the framework for identifying, notifying and managing serious data security breaches, including that appropriate immediate advisory services are in place to manage the situation and contain any damage, and that all aspects of the plan are tested regularly to ensure their effectiveness.
 
Assess and mitigate their supply chain risk, including checking trading partners’ cyber security processes and requiring suitable cyber security measures on the part of such partners, and ensuring there are appropriate provisions in supply contracts (e.g. provisions relating to data ownership and access, privacy and data protection, compliance with specified security standards and data destruction).
 
Have in place suitable insurance to cover both first-party and third-party losses, together with event containment measures if appropriate.
 
As businesses increasingly move their key assets and systems to the digital sphere, and cyber risks continue to grow in volume and complexity, cyber security will become a growing critical concern. Whatever steps businesses and their legal advisors do or do not take, cyber risks are set to loom large in the coming years. Smart approaches in addressing them are likely to lead to market advantage and greater business sustainability.