Australia: Cyber security: Risk management

Clayton Utz Insights

Key Points:

As with all risk management, there is no one-size-fits-all approach, but some basic steps will help you build a robust, nimble and practical cyber barricade.

It has been said that the only safe computer is one that is not connected to the internet. While the internet has become core to the conduct of modern business it also poses a major threat to business. Cyber attacks can range from simple denial of service attacks (as happened in Estonia recently where several websites were blacked out) to sophisticated data thefts across a broad spectrum of interests. Recently US businesses such as Target, Nieman Marcus Stores and Michael's Arts and Crafts, have suffered major data breaches. Such breaches can include scraping information from customer credit cards, or in the case of Target the gaining of access to over 110 million confidential customer records. At another level cyber attacks can be used to destabilize an economy — as evident in the current Ukraine conflict.

As a business entity you need to manage these cyber security risks and your lawyers need to understand such risks, their cause and be able to advise on appropriate risk management. If cyber security is not well managed, an organisation risks business disruption, theft of business secrets or customers, fraud and the resultant damage to the bottom line.

If self-interest were not enough of an incentive, there is also an increasing demand from regulators and even from parties to commercial contracts to ensure data protection.

As a legal adviser to business you need to understand where you client / business holds its and its customers information and the security arrangements that are in place to protect that information. Involvement in the business's procurement activities will necessitate addressing (in contractual documentation) supply chain risk as well as privacy, confidentially and intellectual property protections. Your role will be impacted by the nature of your organisation's business. For example, critical infrastructure providers will be looking to maintain up time. Retailers will be seeking to protect customer data, financial services organisations will be concerned about fraud as well as data protection and government will be concerned about data protection and national security.

Guidance coming from a collaboration between the public and private sectors will provide useful insight into how you will guide your client / business about implementation of effective cyber risk management strategies.

Government initiatives to improve private enterprises' cyber security

Governments and private enterprises are increasingly aware of the need to maintain information risk at an acceptable level and protect information from unauthorised modification, disclosure or attack. Similarly, they need to ensure that their services and systems are continuously available.

Given this, it's not surprising that various governments are addressing cyber security issues in collaboration with the private sector. The guidance these governments provide is useful to business wherever the business is located.

The most recent example is the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cyber Security, released in February 2014.

This Framework flows from Executive Order 13636 issued by President Obama on 12 February 2013, which established that "it is the Policy of the United States to enhance the security and resilience of the [USA's] critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties". The Executive Order also sought to identify critical infrastructure where a cyber security incident could result in catastrophic regional or national effects on public health or safety, economic security or national security, and provided for sharing of cyber threat information between the US Government and US private sector entities to assist them to address cyber security threats.

The Executive Order's main impact however was the development of a cyber security framework. This would focus on cross-sector security standards and guidelines applicable to critical infrastructure, and provide a prioritised, flexible, repeatable, performance-based and cost-effective approach to help owners and operators of critical infrastructure to identify, assess and manage cyber risk — supplementing, not replacing, their existing cyber security practices.

The new Framework adopts a risk-based approach and is composed of a Framework Core, Framework Implementation Tiers and Framework Profiles. As a living document, it is intended to evolve over time. It identifies five functions—Identify, Protect, Detect, Respond and Recover — to help executives to distil key issues in cyber security risk and map their organisation's readiness and ability to deal with cyber attacks. This may reveal that an organisation is properly addressing cyber security risks, or, alternatively, that there are gaps in its approach.

The Framework also helps in forming and prioritising cyber security decisions, and aligning policy, business and technological approaches. As such, organisations can use the Framework to identify activities that are important to them and to prioritise investment to maximise return to the organisation.

A Roadmap for Improving Critical Infrastructure Cyber Security was also released alongside the Frame- work, to align the development of the Framework and its use. A range of critical infrastructure protection plans has also been developed in the USA. These cover commercial facilities, communications, critical manufacture, dams, energy, defence industry, financial services, IT and health care etc. Such plans also assist to align the approach and reactions of government and the private sector should an attack occur.

Separately, a Council on Cyber Security was established in 2013 as an independent, expert, not for profit organisation with a global scope committed to the security of an open internet. This Council has been developing a range of Critical Security Controls, referenced in the NIST Framework.

The Council focuses at a community rather than a business level and has identified its "First Five Quick Wins":

  • application whitelisting;
  • patching applications;
  • patch operating system vulnerability;
  • reduce users with administrative privileges; and
  • using standard, secure system configurations.

For an Australian enterprise, these are similar to the Australian Signals Directorate's four strategies, with the last strategy being an addition.

So what do you tell your clients?

Information security

As a lawyer advising your client your ultimate focus will be centred around the need to understand what information is held by your business and the need to protect that information. In the modern world, organisations hold information that is attractive to cyber criminals, competitors, nation states or Hacktivists (those who have a moral or political concern about activities).

Lack of information security can impact the core business of an organisation. A cyber attack can quickly lead to serious damage, including reputational damage, loss of customers, financial loss or disruption to business operations, a point recently made by Australian Securities and Investments Commission Chairman Greg Medcraft. He noted that technological advancements have taken cyber crime cost to about $110 billion annually; for Australian companies each attack costs about $2 million. For many organisations information security was traditionally treated as a technical issue. It is now generally recognised that there needs to be a systemic enterprise approach to information security. Businesses need to focus on end-to-end processes.

This requires involving a range of persons in an organisation in managing information security. This would include the legal team, IT infrastructure and procurement team, the CEO and COO and whoever else is responsible for risk management, those with information security oversight and management (such as information security managers and the CIO), those with system/security design, development and implementation responsibilities and those who test, monitor and audit information systems. As a lawyer you need to be aware of the need to consider the entire business risk spectrum in advising on cyber security issues. At a specific level, Privacy Commissioners across the globe as a protective measure are emphasising the need to rationalise the collection of personal data from customers. In particular, organisations should collect and then retain only personal information necessary for a particular purpose, and include several layers of security. This security goes beyond anti-virus software and other technical security to physical security and HR security as well.

From a business perspective, all of this needs to be done while containing the cost of IT infrastructure and security management.

Asset management

An organisation must identify weak links in its system, which, at a basic level, means understanding its assets. To manage assets properly, physical devices, software platforms and applications need to be inventoried and tracked, and organisational data flows need to be mapped. As a lawyer, you will be confirming compliance that asset registers are maintained and are kept up to date.

Crucially, supply chains need to be identified and cyber security roles and responsibilities (including sup- pliers' and customers') established. Supply chain risk management, or lack thereof, could form the weakest link in an organisation's cyber security risk management if not properly addressed. Since an organisation could have good procedures but be exposed by a supplier's failure to have similarly good procedures, suppliers must be "locked in" to similar cyber security processes. As noted above, the USA Framework provides guidance on how to do this across industry. Such issues should also be address in ICT contracts, or contracts where services rely on an underlying ICT framework.


Many organisations engage in transactions that are of high or critical business worth, for example, procuring critical business inputs or engaging in financial transactions including mergers or acquisitions. To manage these risks, information flows about the activity need to be controlled. As a legal adviser you will invariably be involved in preparing confidential deeds. However you may also need to be involved in the organisation's strategy to protect sensitive information.

For example, special networks (outside the organisation's usual IT network) may need to be set up for use by the deal team. Data may also be encrypted (subject to legal requirements to the contrary). Where encryption and/or passwords are used, there remains a need to be careful about passwords being the weakest link. Organisations should also consider monitoring access to the special networks to identify any suspicious activity.

Cyber security governance

Underpinning all these efforts should be cyber security governance, as effective governance is the key to ensuring all the elements of cyber security operate effectively.

As a starting point, organisations must understand their business environment. This includes knowing the organisation's role in the supply chain and its place in the industry sector. Organisations need to establish compliance processes to monitor their regulatory, legal and operational requirements and risk appetite. Cyber security compliance needs to be on legal compliance check lists.

Stakeholders and their roles must be clearly defined, and provide guidance and escalation processes for addressing cyber security issues, such as a framework for stakeholders' collaboration on resolving cyber security issues.

Another key component of cyber security governance is effective reporting on cyber security issues, and proactive and continuous monitoring. In addition, if monitoring reveals a problem, the problem needs to be addressed. In contrast, ignoring issues that are flagged can lead to regulatory and data breaches and reputational loss. It has been reported in respect of US cyber attacks, for example, that some victim companies have failed to address warning signs.

Once these issues are identified, the role of information security in the organisation can be identified and relevant information security policies can be developed. Legal and regulatory requirements regarding cyber security can then be mapped, monitored and managed. The various guidance documents issued by national governments (see above) provide assistance on how to do this.

Case study

Your business holds a range of important customer data and is procuring outsourced ICT services under a long-term contract. You want to achieve a good total cost for the services. You are seeking quality services that enable you to benefit from technological improvements over time. You are interested in a mixture of managed services and cloud technology.

Apart from the traditional outsourcing legal requirements, as a lawyer you need to address cloud security and privacy issues. Ideally you will find out where the cloud storage is maintained and across which jurisdictions data will flow. Harmful code protection will also be paramount — malware and other virus attacks have become prevalent, eg see the Target cyber attack early this year. Additionally, the contract documentation should address procedures for updating software protections and dealing with disaster recovery should a successful cyber attack occur. Asset management, configuration control and supply chain logistics should also be investigated.

Your client / business needs to know where the equipment / hardware used to provide the ICT services is sourced and how ongoing support (including patch management) will be managed. Asset register obligations may be relevant depending on the nature of the services (for example, in a managed service equipment needs to be identified and tracked). Thus as a lawyer you need to think at a broad organisational level to ensure your contracts and policies address end-to-end business requirements. Then at the business level, the business needs to consider the outsourcing cost against risks and business impacts from cyber security breaches, among other things.


Criminality and fraud, quite apart from terrorist activity, have gone digital, along with other business disruptors, so a cyber security governance framework with relevant compliance monitoring is essential.

Organisations need to identify and assess cyber security risks in accordance with their level of risk tolerance, informed by a proper understanding of the rise of digital crime and fraud. Risk tolerance will be dependent on the nature of the organisation's business, its ability to transfer, avoid or mitigate the risk and the impact of the risk on the organisation's delivery of goods or services.

As with all risk management, there is no one-size-fits-all approach. However, the steps outlined above should assist any organisation in creating a robust, nimble and practical cyber barricade.

You might also be interested in...

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.