July 2023 has been another busy month in the world of cyber security (yes, another one). This update summarises the top cyber-related news for July, including:
- regulatory developments such as APRA's new Operational Risk Management standard, plus new cyber disclosure rules introduced by the U.S. Securities and Exchange Commission;
- new insights into the rising average cost of a data breach, lower rates of victim organisations paying ransom demands, and research into impacts of cyber crime on impacted individuals; and
- growing fallout of the MOVEit hack, an attack on beauty giant, Estée Lauder, and the spread of surveillance malware developed by a Chinese state-sponsored group, APT41.
Contents
News from HSF
AFR Cyber Summit (18 September)
HSF is sponsoring the Australian Financial Review's inaugural Cyber Summit on 18 September in Sydney. The Summit is likely to be one of the more significant cyber conferences of the year, focusing on safeguarding Australian businesses and managing cyber incidents. The Hon Clare O'Neil MP, Minister for Cyber Security will deliver the key note and HSF's Cam Whittfield (Lead Partner, APAC Cybersecurity?) is presenting on a panel titled, 'How to deal with hackers'.
Cyber Insurance 101: Best practice tips for maximising cyber-insurance recoveries
Cyber incidents are becoming considerably common and severe as systems and services increasingly digitise. Cyber-risk mitigation is a priority for boards and management, including looking closely at their insurance policies to mitigate the financial fallout from a major cyber incident. In this article, Anne Hoffmann and Tristan Smith from HSF's Insurance Dispute's team explore the role of cyber insurance in cyber incidents that businesses may face.
Regulatory and industry news
APRA finalises new prudential standard on operational risk
Australian Prudential Regulation Authority (APRA) - 17 July 2023
APRA has released Prudential Standard CPS 230 Operational Risk Management (CPS 230), a new standard aimed at banks, insurers and superannuation trustees that will commence on 1 July 2025. APRA Chair, John Lonsdale, stated that the need for CPS230 "has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches... and will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur." APRA's draft CPS 230 guidance is open for comment until 13 October 2023.
New IBA report provides first-of-its-kind global perspective on cybersecurity risk governance
International Bar Association - 31 July 2023
The International Bar Association (IBA) has released a groundbreaking report on cybersecurity governance for senior managers and boards to protect their organisations from cyber attacks. The report offers global perspectives on existing cyber threats and actionable steps to enhance cyber risk governance, drawing on sources from ten jurisdictions. The report provides 17 recommendations for senior management and boards, emphasising their shared accountability in tackling cybersecurity risks.
SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
U.S. Securities and Exchange Commission - 26 July 2023
The U.S Securities and Exchange Commission (SEC) has adopted new rules requiring registrants to disclose material cybersecurity incidents to investors, as well as to disclose information on their cybersecurity risk management, strategy and governance on an annual basis. Foreign private issuers must also issue comparable disclosures. The rules will be effective 30 days after publication in the Federal Register, with disclosure deadlines starting from 15 December 2023.
OAIC investigates the AFP over surveillance concerns
CyberSecurity Connect - 24 July 2023
The Office of the Australian Information Commissioner is investigating the Australian Federal Police's (AFP) use of Auror, a "retail crime intelligence and loss prevention platform" used in 40% of Australian stores. Privacy risks associated with the AFP's use of Auror came to light in a Senate estimate hearing earlier this year, when it was revealed that a privacy impact statement had not been conducted for use of the software in the ACT. The software's features include vehicle tracking and automatic number plate recognition.
IBM Report: Half of breached organisations unwilling to increase security spend despite soaring breach costs
IBM - 24 July 2023
IBM research has found that the global average cost of a data breach in 2023 is 4.45 million US, representing a 15% increase over the last 3 years. Organisations that did not involve law enforcement in ransomware/data extortion attacks experienced higher average costs of data breaches. IBM's report reveals findings of how businesses plan to handle the increasing cost and frequency of data breaches, based on its analysis of data breaches experienced by 553 organisations globally.
Ransom monetisation rates fall to record low despite jump in average ransom payments
Coveware - 21 July 2023
Research from cyber extortion incident response firm, Coveware, has found that the percentage of victim organisations paying ransom demands has fallen to a record low of 34% in the second quarter of 2023. This trend is understood to reflect companies' continued investment in security and incident response training to mitigate the effects of ransomware/data extortion attacks.
The 'nightmare' cybersecurity scenario being war gamed by government
Sydney Morning Herald - 8 July 2023
As part of a new series of cyber war games, the federal government facilitated a three hour cyber simulation exercise with regulators, corporate leaders, police and members of government. Run at Sydney airport, the fictitious scenario prompted participants to consider how they would respond to a cyber attack on airport systems impacting passenger screening. Minister for Cyber Security, the Hon Clare O'Neil MP, stated that the war games "will be a permanent feature of [Australia's] cybersecurity and national security program so that when [Australia does] have the inevitable cyberattack which causes much more widespread damage, we're going to be able to manage it much more easily".
Appointment of National Cyber Security Coordinator
Prime Minister of Australia - 23 June 2023
The Albanese Government has appointed Air Marshal Darren Goldie AM CSC as the inaugural National Cyber Security Coordinator. He commenced his term as the National Cyber Security Coordinator on 3 July 2023.
Report: Cybercrime in Australia 2023
Australian Institute of Criminology (AIC) - 27 June 2023
The AIC has released its first report in the Cybercrime in Australia series, which aims to provide a clearer picture of cybercrime experienced by Australians and impacts on victims. A survey of 13,887 computer users in early 2023 found that 47% of respondents had been a victim of at least one cyber crime in the last 12 months. Of this number, 11.3% of identity crime victims and 25.5% of fraud and scam victims reported losing over $1,000 in the most recent incident. See also InformationAge article (3 July).
Recent cyber security media
Home affairs cyber survey exposed personal data of participating firms
The Guardian - 25 July 2023
The Department of Home Affairs confirmed that personal information collected through a small business cyber security survey was inadvertently breached. Reportedly, the names, business names, phone numbers and emails of more than 50 survey participants were unintentionally included in the survey report, which was posted to a parliamentary website in response to a question taken on notice during Senate estimates hearings in May. The data has since been removed.
Sky News Australia Facebook hijacked by hackers
CyberSecurity Connect - 25 July 2023
Sky News Australia is investigating a compromise of its Facebook account, after Vietnamese-speaking threat actors updated the publication's Facebook profile picture and posted content including a list of what appeared to be AOL Mail email addresses and passwords. It is unclear whether the published AOL Mail details are connected to the media outlet.
Service provider's probe counts more victims of MOVEit Hacks
DataBreach Today - 24 July 2023
According to cyber security researchers, more than 420 organisations have been affected by the Clop ransomware group's supply chain attack on the MOVEit file-transfer tool. Most affected organisations are based in the United States, where the FBI and Cybersecurity and Infrastructure Security Agency continue to investigate. 70 impacted organisations have publicly disclosed how many individuals were affected. One victim, the Teachers Insurance and Annuity Association of America, reported that data of 2.6 million members was exposed in the attack, including Social Security numbers, dates of birth and addresses.
BlackCat and Clop gangs both claim cyber attack on Estée Lauder
Computer Weekly - 19 July 2023
Make-up and skincare brand Estée Lauder is investigating unauthorised third party access to its systems. The incident has been claimed by two of the most prolific hacking groups, ALPHV (otherwise known as BlackCat) and Clop (responsible for the MOVEit attack). ALPHV claimed that it stole 131 gigabytes of Estée Lauder's data, that it had not encrypted the brand's site and that it would wait before revealing how it succeeded in the attack.
Chinese threat group APT41 linked to Android malware attacks
DataBreach Today - 20 July 2023
Cyber security researchers have observed Chinese state-sponsored espionage group, APT41, adopting malware targeting Android mobile devices. Once inside a device, two variants (WyrmSpy and DragonEgg) request extensive permissions to perform surveillance, and exfiltrate data including log files, photos, device location, SMS messages, audio recordings, contacts and messages. The malware is thought to be downloaded by users in a disguised form such as a default Android system app, third-party Android keyboards and messaging applications. Google has stated that no apps on Google Play contain this malware to date.
Regulator's files disclosed in HWL Ebsworth data breach
Lawyerly - 18 July 2023
The Fair Work Ombudsman (FWO) has revealed that some of its data was impacted by the HWL Ebsworth cyber attack. The FWO is working with the law firm to understand what information may have been disclosed and reiterated that none of its own systems were compromised in the incident.
See also:
- Queensland breached in HWLE attack (CyberSecurity connect - 17 July 2023)
- Victorian government data dumped on dark web after HWL Ebsworth hack (Lawyerly - 14 July)
- Leaked HWL Ebsworth data includes 'sensitive' info, says cybersecurity czar (Lawyerly - 6 July)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.