The Australian Cyber Security Centre’s (ACSC) most recent annual Cyber Threat report, notes the ongoing, increasing tangible impact that cyber-crime and the associated threat actors are having on Australian Businesses including:
$98 million in losses from Business Email Compromise (BEC); and
An increase in the average cost per cybercrime of over $39,000 for small businesses, $88,000 for medium sized businesses and over $62,000 for large businesses.
Further, towards the end of 2022, it was recorded that Australia had experienced the highest rate of data breaches in the world with a surge of 1150% from 107,659 in October to 1,776,065 in November (according to publication Surfshark). It is concerning, but not surprising that Australia is so highly targeted, with perhaps the exposure of Australian businesses being best summarised in Cisco’s 2022 Securing Australia’s Critical Infrastructure Report. (opens a new window)
“Australia is the most attacked country in the world per capita from a cyber security perspective.”
Australian organisations should be concerned.
Although boards and executives now appreciate cyber and technology risks as a top risk following high-profile cyber events, history tells us boardroom agendas and conversations can quickly move away from cyber and onto new distractions and risk challenges – all without meaningful action.
In a US publication by global Law firm White & Case, directors and senior executives are rightfully warned that regulators and prosecutors are becoming more determined to take personal action against them for cyber security events. Those with ultimate responsibility for an organisation need to be accountable for inadequate prevention or management of such events and risks.
With global cyber stories such as the WannaCry global ransomware attack in May 2017, and more recently the 2021 SolarWinds and Microsoft Exchange vulnerability failing to drive systemic change in boardrooms across Australia, will the Optus and Medibank events in 2022 finally be the catalyst?
Firstly, how do we go from so much noise on cyber-attacks to near on radio silence? Perhaps why business leaders seemingly fail to act is because of how swiftly risk perceptions and priorities shift.
For example, when Lockton asked CFOs their top risks of concern in Q1 2022 (opens a new window), the rankings of each risk (including cyber-risk) shifted dramatically when asked again in Q3. Cyber-risk was not a top concern in Q1 but sky-rocketed up the ladder in Q3.
Perceptions of risk constantly shift. Whether that’s because executives and boards may have a false sense of confidence in the management of certain risks, or perhaps they’ve been led to believe experts in their organisation have it under control.
So, will the cyber-events in 2022 be a big enough wake-up call for boards and executives to inspire meaningful change, or will boardrooms move on?
Recap of some of the major Australian cyber events of 2022
One of Australia’s largest telecoms experienced an enormous data breach with up to 10 million of their users’ personal details stolen. The hacker threatened to release 10,000 records every day unless they were paid $1 million AUD in cryptocurrency.
Only a month later, one of Australia’s large health insurers also came under fire from a huge cyber-attack with personal data – including private health records leaked to the dark web – this was in retaliation to the company refusing to pay the ransom of $15 million AUD.
Additionally, one of the world’s largest password managers experienced a serious network breach, along with one of Australia’s biggest retail groups – with 2.2 million of their customers data stolen. A social networking platform was targeted, and 5 million of their users records were dumped on a hacking forum; and a large global app-based car ride company was attacked by known hacker ‘Teapot’ who breached financial documents, internal messages, and other sensitive data before posting images of their successes on Telegram.
The above just notes a few, with many more events occurring unknown to the general public. However, it highlights the indiscriminate nature of cyber and technology risks with no industry, sector or size of organisation immune from targeted or not targeted cyber risks.
The stakes for boards and executives are now much higher
Businesses have much to learn from history and the incidents of 2022, but in 2023 the stakes are arguably even higher. Boardrooms should be concerned. Directors, officers, and C-suite executives can already be held personally liable for the consequences of a cyber event that significantly impacts an organisation. However, new regulatory changes have further increased the potentially significant personal liability exposure and financial implications.
In an article by the Australian Financial Review, the Australian Securities and Investments Commission Chairman, Joe Longo said, “cyber should always have been a top risk facing corporate Australia, it’s just that recent events have reminded people why it should be considered a top risk.”
He also went on to say, “for all boards, I think cyber resilience has got to be the number one risk facing everyone, and if things go wrong, ASIC will be looking for whether they took reasonable steps and made reasonable investments proportionate to the risks that their business poses to defend themselves from an attack. The major priority has to be to encourage boards, and to remind them of their obligations in this area.”
As a result of the cyber-security events from 2022, it’s not surprising legislative changes have already been rushed through. The Privacy Act has faced various reforms, previously the maximum penalty for serious or repeated privacy breaches was $2.2 million (and $440,000 for non-corporates). However, since the amendments, the maximum penalty for serious or repeated privacy breaches can be the greater of:
$50 million; or
three times the value of any benefit, directly or indirectly obtained that is reasonably attributable to the privacy breach; or
30% of the entity’s adjusted turnover for the relevant period.
The case of ASIC vs RI Advice Group is another pertinent reminder to boards, executives, and directors to ensure their risk management frameworks are adequately and appropriately addressing cyber-security. Whilst the expectation from ASIC is not to have zero cyber risks, the importance of documentation and evidence to show consideration of cyber-security risks and the organisation’s associated resilience has been well considered.
Further, any organisation that faces a significant cyber event, and subsequent regulatory action will face additional challenges. Simply noting increased costs to improve an organisation's cyber security posture as a reason for not investing in this area, is likely to be seen as a tenuous and likely unsuccessful use of the Business Judgement Rule defence with respect to defending a D&O action.
Ever-pressing new challenges will reduce confidence even further
In Lockton research (opens a new window), CFOs shared they didn’t feel well prepared to respond to a cyber incident, with confidence falling from 69% to 61% between Q1 and Q3. This could be reflective of the increasing cyber headlines in the second half of last year.
Boards and executive teams are feeling vulnerable which should inspire action, but cyber-security is becoming even more difficult to get a handle on. A playbook doesn’t exist for all cyber risk scenarios, particularly with exposures which new advanced technologies are causing. For example, although emerging technology such as ChatGPT and Jasper are seen as revolutionary tools for businesses for streamlining tasks, they are opening up new malware threats which can arise from employee error.
While boards and executives are in a position to drive change, human-error remains one of the biggest risks. It continues to be one of the most common reasons cyber-criminals are successful. In an article by Cyber Security Hub, the World Economic Forum found that 95% of cyber security issues could be traced back to human error. Training, and cyber-security awareness is still such an important factor when it comes to the resilience of an organsation’s cyber-security, and this starts at the top.
Who can individually lead change?
The role of the CFO has rapidly evolved, they are the gateway to the operations of an organisation and its board, executives and shareholders. They have knowledge of cross-functioning remits, and their key responsibility is to protect and enhance the welfare of a business’s finances, but managing cyber-risk is much more than just quantifying the risk against a company’s bottom-line – cyber extends to areas such as compliance, strategy and foreseeing potential exposures. That’s why boards should encourage diverse teams to come together to address these risks. It can’t be done alone.
Legal principles with respect to reasonably foreseeable risks don’t change, but what’s a foreseeable risk can shift over time and boards and directors need to be aware of that and adapt to those changed circumstances.
Cyber-security is a great example. While two decades ago it did not register as a concern for boards, the Optus and Medibank hacks this year elevated the issue into the boardroom.
How boards and executives can bolster organisational resilience to meet their duties
In a story by the Australian Financial Review, a professor of law at the University of Melbourne, Ian Ramsay, discusses the exposures facing directors and how imperative it is that they understand these risks and make-decisions in the best interest of the company. In one example, he commented on the downfall of the Star Entertainment’s directors who failed to adhere to their obligations and due diligence in some of their decision-making on money laundering risks at the company.
Ramsay continued with cyber-security as another example, saying, “there’s going to be a huge number of issues that the board is able to delegate, but cyber-security is such a big issue now that if a board is not addressing that in a satisfactory manner, then they would have to be on notice that they may not be complying with their duties – unless they thought that management has effective cyber-security in place.”
But what actions can directors take to truly make a difference?
Seek to have organisation specific cyber and technology risks identified. This includes not only the identification and mitigation of an organisation's own cyber posture, but also those risks that third party vendors/partners bring. Whilst organisations can – and rightfully do – outsource services, the same cannot be said for liability.
Utilise where appropriate, third parties for independent assessment and oversight of cyber security risk posture and risk management.
Proactively seek and ask for cyber security awareness, risks, investment etc. to be reported back to the board.
Proactively review and justify positions especially where cyber security/technology investment is not made.
Context should be taken from the well-known ASIC v Centro decision and the principles that directors are to possess sufficient skill and understanding of the fundamentals in which the business is engaged, which includes associated fundamental business risks (of which cyber, and technology is one for all organisations). Take self-responsibility for continuous education of this business-critical risk themselves.
Whilst the risk of a cyber event impacting an organisation cannot be reduced to zero, here are four main areas of focus to address the risk, specific to cyber security mitigants:
1. Ensure implementation of cyber security posture minimum standards (which are now universally accepted) such as:
a. MFA (especially with respect to remote access, RDP’s, back-ups, and access to critical information/environments).
b. End point detection and monitoring.
c. Off site, offline and segregated back-ups; and
d. Network segmentation (environment dependant).
2. Staff Training, testing (i.e., Phishing exercises) and how exposure with respect to those staff that fail testing is managed.
3. Implementation and of Recovery/incident response plans and specific scenario testing of these plans (ransomware specific can be viewed favourably).
4. Engagement or utilisation of independent testing and advice.
Finally, those organisations who operate in data rich industries or environments will need to focus specifically on practices and procedures with respect to reasons for collection of data (specifically PII), use, storage, retention, deletion, and de-identification. The Australian Privacy Principles (APP) - specifically APP 11 - already put an onus on organisations to take reasonable steps to destroy PII or ensure that it is de-identified, where it is no longer needed for its intended purpose. We can expect this to be a significant area of focus from regulators moving forward.
There are still many unknowns on what the future holds for businesses when it comes to cyber-security, but the 2022 events can and should be a force for change.
Companies that can demonstrate a robust approach to cyber risk management that includes informing, improving and insuring the associated exposure will not only reduce the financial and reputational risk of a potential cyber-event, reduce potential directors and officers liability, but also make their risk more attractive to cyber insurance underwriters. This is likely to positively affect renewal outcomes.
Boards and executives must now step up by asking teams the right questions and supporting clear action. Rather than crossing fingers, having clear, documented steps in place to manage the risk, and investing in impactful cyber-risk management strategies should be a key focus in 2023. Regulators, shareholders, supply chains, teams and employees are all watching.