With the rapid advancement of technology, cyber attacks are becoming more prevalent and increasingly more sophisticated. Formerly confined to the plotlines of Hollywood films, cyber attacks are now regularly carried out on businesses, governments, and individuals around the world with the purpose of disrupting critical infrastructure and exploiting vulnerabilities for financial gain.
On average, a cybercrime is reported to the Australian Signals Directorate once every six minutes,1 and the Australian Government expects the rate of such attacks to increase. The development of AI and other technological tools has coincided with an industrialisation of cybercrime,2 creating the perfect conditions for the proliferation of these online attacks.
Recent high-profile cyber attacks have targeted companies operating across a broad spectrum of industries including telecommunications, health insurance and legal services.3 Not even the government is immune,4 and the cost of cybercrime on Australian businesses is growing every year.5
Snapshot from the Australian Signals Directorate Cyber Threat Report6
Average cost of cybercrime per report | Up 14 %
|
Cybercrime reports | Nearly 94,000 cybercrime reports, up 23%. On average a report every six minutes. |
Calls to the Australian Cyber Security Hotline | Answered over 33,000 calls, up 32%. On average 90 calls per day. |
Top three cybercrime types for business |
|
It is clear from the ubiquity of these cyber-attacks that this new threat cannot be ignored, and governments around the world are adopting increasingly stringent regulations for the management of cyber security risks.7
In 2023, the Australian Government released its Cyber Security Strategy 2023-2030 (Strategy)8 which highlighted the importance of safeguarding online platforms and services in Australia’s digital economy. According to the Strategy, cybercrime is one of the most significant threats impacting modern Australians and represents an attack on our national sovereignty. Reducing cybercrime is a top priority for the Government and will be critical for Australia’s productivity and future prosperity.
While Australia possesses robust intelligence and defence cyber capabilities to safeguard the nation from global threats, the security of the economy cannot be maintained unless private entities are also adequately equipped to manage a cyber crisis. The Australian Government considers that cyber risks could be “mitigated by better corporate governance from the board down.”
This sentiment was echoed by ASIC Chair Joe Longo when addressing the Australian Financial Review Cyber Summit on the topic of cyber preparedness in September 2023. As discussed by HopgoodGanim’s Luke Dawson and Briar Francisin a recent article on this topic, boards must plan for the vulnerabilities inherent in their entity’s existing systems and avoid over-reliance on third-party providers.
However, there are concerns that companies are not investing sufficient time and resources into establishing appropriate cyber security systems and controls.
Responsibility of the Board
Boards must now take an active approach to evaluating cyber security processes, or risk potential enforcement action by ASIC for a failure to act with reasonable care and diligence.9 The success of a company’s response to a cyber crisis depends heavily on the board’s ability to provide proper oversight and support for decisions made by key management personnel throughout the crisis.10
Directors should be careful to give proper attention to the discharge of this duty. It is not enough to simply take steps to manage cyber security risk; rather, those steps must be appropriate to manage the cyber security risk faced by the company in the given circumstances.
In recent years, each of ASIC, the ACCC, the Reserve Bank of Australia, and APRA have vocalised concerns about the threats posed by weak cyber defences, and the need for companies to assess and mitigate cyber security risks.
In the recent case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd,11 the Federal Court held that, despite the steps taken (albeit belatedly) by the board to manage cyber security risk, the company failed to put appropriate documentation and controls in place to manage the threats to the company’s cyber security, and that the company had therefore breached the risk management obligations of its financial services licence.
In this climate, cyber risks management and cyber security should be at the top of the agenda for boards across the country.
What is ‘appropriate’ risk management will vary across companies. HopgoodGanim Lawyers can assist in conducting a review of your company’s operations and existing processes to determine whether they are fit for purpose having regard to your specific risks profile. These types of ‘Cyber Health Checks’ are critical to ensuring the board discharges its duty to shareholders and should be conducted on an ongoing basis.
How to manage a Cyber Crisis
To assist boards and directors in navigating these responsibilities, the Australian Institute of Company Directors (AICD) has recently released detailed guidance on how to effectively respond to, and recover from, a cyber security incident (Cyber Crisis Guidance).12
The Cyber Crisis Guidance, which was developed in collabouration with the Cyber Security Cooperative Research Centre, builds on the framework set out in the 2022 Cyber Security Governance Principles13 and focuses on four key areas: Readiness, Response, Recovery and Remediation.
What is required | Next steps for Boards | |
---|---|---|
Readiness | A comprehensive cyber incident response plan, which sets out clearly defined roles and responsibilities, should be implemented and regularly tested and updated, together with a communications strategy for stakeholder communications. | As a first step, boards should consider engaging specialist advisors with expertise in this area – including legal counsel, technical and incident response advisors etc. – to assist in reviewing the company’s cyber event preparedness and response processes to determine if any critical gaps exist. HopgoodGanim Lawyers are experienced in conducting these types of ‘Cyber Health Checks’, which can be used to create an action plan for uplifting the company’s cyber preparedness and capacity to respond to a cyber incident. |
Response | The board should provide “agile and timely” support and oversight of management decision-making and, if appropriate, establish a Cyber Incident Sub-Committee to provide governance during this phase of a crisis. Expert external advice and appropriate communications with key stakeholders are critical, including liaising with appropriate regulators. | This phase of a cyber crisis will invariably be a high-stress situation for the board and members of your Incident Response (IR) team who will be expected to make significant decisions within tight timeframes and often based on limited information. Having a cyber incident response plan, clear allocation of crisis roles and proper training are critical to ensuring that you are properly prepared for a cyber crisis. We can assist board members and IR teams to prepare tailored incident response plans for your high-risk incident types, assess and meet legislative and contractual action and reporting requirements, prepare crisis communications strategies, and undertake a rigorous incident response training and testing that simulates crisis conditions. |
Recovery | After a cyber incident is contained, the board should oversee steps to secure systems and data, as well as oversee the conduct of a comprehensive post-incident review (including utilising external advice where appropriate) and take steps to support employees impacted by the cyber crisis. | We can assist you to:
|
Remediation | The board should ensure that remediation plans are developed, well resourced and swiftly implemented, and that the company continue to provide effective communication and support for impacted parties (both internal and external) in both the short and long-term. The board should also oversee remediation, compensation and complaints-handling processes. | We can:
|
Similarly to the old military adage, the Cyber Crisis Guidance advocates proper planning, preparation and testing to ensure the board, its senior leaders and incident responders understand their respective roles and perform well together under the pressure of a cyber event.
Next steps for boards and senior leaders
Cybercrime is not going away. A failure to take proper care in monitoring and responding to cyber risks can have serious implications for directors, particularly where sensitive data is stolen or where an entity suffers significant financial loss.
Boards must brace themselves for this brave new world, or risk falling victim to these attacks and suffer the consequences.
Links to the AICD’s Cyber Crisis Guidance full document, as well as a snapshot, can be found here.
For more information and to ensure your company is protected, reach out to HopgoodGanim’s corporate governance and cyber security experts.
1Australian Government, Australian Signals Directorate, ‘ASD Cyber Threat Report 2022-2023’, 14 November 2023, 2-5.
2 For a discussion of the current cyber extortion business model, see James McIntosh, ‘The Case for a Prohibition on the Making of Cyber Ransom Payments’ (2024) 40 C&SLJ 158.
3 The breaches of Optus, Medibank and HWL Ebsworth in 2022 and 2023 (respectively) were well documented.
4 ASD Cyber Threat Report 2022-2023 (n 1), 8.
5 Ibid, 2.
6 Ibid, 2-5.
7 Such as the General Data Protection Regulation in the European Union or the California Consumer Privacy Act in the United States.
8 Australian Government, Australian Cyber Security Strategy, 2023-2030.
9 See, for example, ASIC Report 429: Cyber resilience: Health check at pages 43 and 49.
10 Australian Institute of Company Directors, Governing Through a Cyber Crisis: Cyber Incident Response and Recovery for Australian Directors, 28 February 2024, pages 14 to 15.
11 Australian Securities and Investments Commission v RI Advice Group Pty Ltd (2022) 1608 ACSR 204; [2022] FCA 496.
12 Governing Through a Cyber Crisis (n 10).
13 Australian Institute of Company Directors, Cyber Security Governance Principles, 21 October 2022.