Regulators now expect companies to have a vigorous and effective response plan to cyber attacks, fully understood and readily executable at the board level.
Regulators have made it patently clear in the past few months that firms lacking an adequate 'board level' response plan to external cyber intrusions are not taking their risk management or governance duties seriously.
Both APRA and ASIC have recently issued guidelines to improve corporate resilience to cyber attacks as incidents continue to rise. Australia now ranks 11th in the world and third in the region for ransomware attacks. These have increased by at least 50% in the past year.
As a recent example, the Petya ransomware kept individual computers locked up until users paid $US300 in bitcoin for the release of files. Not all the incidents of data hijacking were reported.
Marsh and McLennan's Global Risks Report for 2018 cites thriving "dark net" markets, which sell malware goods and services as one part of the threat but it also points to growing vulnerabilities, especially the ever-multiplying entry points for malfeasance.
Vulnerable cloud services are proliferating while the number of internet-enabled devices, now at 8.4 billion across the globe, will hit 20.4 billion by 2020.
The message from regulators is that companies must now escalate the threat. It is no longer just as an agenda item but must form part of the firm's overall and ongoing operational risk management.
ASIC's report from November last year, Cyber resilience of firms in Australia's financial markets, looked at a cross-section of Australian financial firms and found that while many larger firms tended to have some form of cyber attack response plan, many SMEs either had no policy or if they did, were barely recognised at board level.
SMEs account for 57% of Australia's GDP and employ 7 million people, yet the ability of many to respond to even small-scale email attacks or viruses was often ad hoc and guidelines (if they existed) were neither followed consistently nor updated.
Only a minority of (mostly larger) firms had achieved the optimum level of cyber awareness - what ASIC calls "adaptive policies" which were evolving in response to ongoing threats and adapting speedily.
ASIC has published what it considers good practice cyber resilience. It's wide-ranging but includes:
- Periodic reviews: boards need to know their strategy, and review it. Measures to check would include time to detection, speed of responding to an attack and overall comprehension of the recovery plan
- Ongoing management: Resilience not only has to be planned but implemented and it needs to be viewed by the board as critical – this involves anticipating scenarios and building protection against them
- Outside risk: many organisations need assessment methods and tools to ensure that third party suppliers and partners are regularly assessed and comply with the company's own security standards
- Responsive governance: governance on the issues has to be fluid – the policies and procedures of now may not be valid 12 months down the line – adjustments may also need to be made after events and incidents.
The cost of non-compliance
Questions of cyber security often come down to the costs of new software and increased manpower needed to monitor external risks. But it's worth recognising the greater cost of vulnerability. Attacks not only lead to possible loss of client databases and customer information, but to serious business interruptions.
There is a flow-on effect of all this – an attack may affect suppliers, customers, supply chains and partners. Compromised data may lead to legal problems and possible damages claims. A company suffering an event may have insurance denied if its ability to deflect an attack is considered weak or its response ineffectual.
In the worst case 'catastrophic' scenarios a liquidator may point the finger at a firm's inability to deal with the attack, and assess asset recovery accordingly. Directors may also be held responsible for systemic flaws.
While the regulators are now offering good practice guidance, this will soon progress towards monitoring and measuring companies' ability to withstand attacks. They will be talking to firms and inspecting firms that appear to be challenged.
A new mindset
Investment in cyber insurance is one area that may help contain the problem. Some of the policies offer not just financial compensation, but access to specialist services such as post-incident forensics. However, a formulaic upgrading of systems and insurance cover are no substitute for a progressive policy of ongoing management and constant assessment of potential vulnerabilities.
Regulators want to see intelligent plans to deal with the threat – that companies view cyber risk containment as a main component of a company's enterprise risk management framework.
On February 23, new data breach notifications laws come into effect which require any organisation which holds client information to notify the Office of the Australian Information Commissioner if an "eligible data breach" has occurred. If the information cannot be retrieved by normal means, it must be reported.
Companies doing business in Europe may soon fall under the scope of the European Union's General Data Protection Regulation, which comes into effect from 25 May 2018. Any firm which supplies goods or services to, or which monitors individuals in the EU could fall under its aegis. Those which handle personal data in connection with the activities of an EU establishment may also be affected.
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.