While some have argued that there is need for legislated minimum cybersecurity standards to bring greater certainty to this evolving risk, we believe that endeavour would be diversionary. It would provide directors with a false sense of comfort and an opportunity to treat cybersecurity as another ‘tick the box’ exercise, without properly considering and managing the unique risks specific to their own operations.
Setting the scene
What do we talk about when we don’t talk about the pandemic? It is the other globally systemic risk lurking in plain sight, equally capable of inflicting mass disruption and harm on a macro and micro scale.
The risk is of course a large-scale cybersecurity breach – a ransomware attack that holds entities, whether individual businesses or government agencies, hostage by compromising IT systems and accessing, using and passing on sensitive business and government information as well as customer, employee and general public data.
How has the risk evolved?
The risk of attacks from cyber criminals was already intensifying pre-pandemic, with enhanced sophistication in the nature, scale, organisation and technological means of criminal networks and – more fundamentally – a chronic weakness in governance and risk frameworks that made many entities sitting ducks.
Many boards and key management personnel in public and private sectors have underestimated the scope of the threat posed by cybersecurity breaches, and have quite possibly failed to invest in the infrastructure and expertise required to mitigate the threat head-on.
With so many now working outside their usual offices – and in most cases, from home where their circumstances allow – cyber criminals have far greater access to a vast network of insufficiently protected information and data. So many of the companies encouraging their employees to work from home lack the basic security systems and trusted, tested software – not to mention the expert support teams – needed to protect their intellectual property, trade secrets, customer lists and other private data collected and stored in the course of their business.
Further, we are now experiencing the most significant transition to online shopping and service delivery in history, and the payment platforms used to facilitate transactions have provided more fertile ground for criminal networks to exploit unsuspecting businesses and consumers.
What is the impact of a cybersecurity breach?
In the last month alone, a phishing scam led to 47 staff accounts at Service NSW being compromised, with the extent of personal information of members of the public accessed still under investigation. There have also been successful ransomware attacks against brand name corporates of the type otherwise expected to have best-in-class armoury to protect their data form such attacks.
And these attacks are just the tip of the iceberg. What about those that have not been reported, or, worse, those that companies and public agencies have not even detected?
The consequences of this gaping risk management hole are severe. On a macro level, cyber attacks could potentially disable our hospitals and electricity grids. They could also permit access to state secrets that would compromise national security and foreign relations. On a micro level, cyber attacks could enable the misuse of our personal health and financial records, as well as information about more routine ‘life’ matters in relation to which we have a reasonable expectation of privacy.
A clearly foreseeable risk – liability implications for entities and individuals
The recent attacks, heavily profiled in media reports, should themselves provide public and private entities with an incentive to strengthen their internal cybersecurity systems and expertise. Recently, the Australian Cyber Security Centre warned of the enhanced risk of cyber attacks in the ‘new normal’ of working from home, where the usual office-based cyber and physical security barriers are necessarily ineffective.
This is not something boards can keep putting off. It is not a case of out of sight, out of mind. As a plainly foreseeable risk, a cybersecurity breach that can be linked to inadequate internal security systems would expose officers of private entities to potential liability for breaching their statutory and general law duties to act with care, skill and diligence and in the best interests of the company.
Liability may also follow both for public and private entities and individual officers and employees under uniform privacy legislation and other regulatory sources that require entities to have in place sufficient controls to prevent their data being compromised.
Apart from enforcement action by regulators, there is also a significant class action risk, with data and privacy breaches expected to be one of major growth areas in class actions in next 12 to 24 months. Already, we saw the first data breach class action filed in Australia settle in the Supreme Court of NSW last December (relating to the misuse of the personal information of a number of Ambulance NSW employees). And in April this year, a representative complaint was filed with the Office of the Australian Information Commissioner in relation to Optus’s allegedly mistaken release of the names, addresses and telephone numbers of over 50,000 customers to the operator of the White Pages.
The time is now – specific response measures
Now is the time for entities to invest in enhanced security platforms – incorporating features such as data encryption, comprehensive firewalls, unique pass phrases and multi-factor authentication. The Australian Cyber Security Centre has also pointed to the importance of establishing secondary and tertiary control rooms and, where remote work is required, a ‘two jump’ process (using unique passcodes and tokens) for accessing internal systems.
Boards must also develop business continuity and crisis management programs so an entity can rapidly respond to and manage any breach that does occur.
And, while boards are not expected to be, or become, technology experts, they are expected to hire those experts – IT security advisers and managed service providers that can design, imbed and monitor comprehensive security systems and ensure the effectiveness of those systems with regular and systematic audit trails and incident response mechanisms. These experts can also help to build new innovative software over time – fighting fire with fire as cyber criminals also work around the clock on their own technology to devise novel ways for infiltrating networks through new ransomware attacks.
The nature, scale and impact of a cybersecurity breach in the current environment is clear and the expertise exists to confront and repel that risk. It is up to boards and senior managers to now use that expertise and invest in the security systems and internal governance and risk frameworks to protect their companies – and themselves – from becoming the next headline in a growing collection of trophies for cyber criminals.