Cybersecurity and cyber-resilience risk management and governance is both complicated and technically challenging. The recent judgment of the Federal Court of Australia in ASIC v RI Advice reignited the debate in Australia about cybersecurity and cyber-resilience governance and risk management. Reinforcing this, in an article published on 15 July 2022, ASIC Commissioner Danielle Press wrote:
‘ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations.’
Directors faced with determining their duties and obligations (in particular under s180 of the Corporations Legislation) in this area are often left to wonder what more they should do to ensure that their organisations are adequately managing these risks. A Court will consider what a reasonable director would do in the circumstances, having regard to the nature and size of the company.
We have posed four questions that we believe a reasonable director could ask about often overlooked aspects of cyber-risk and incident management. The answers to those questions will provide an indication as to the maturity of the organisation’s cybersecurity risk management outside of the usual audit and information reporting that can often overwhelm or obscure the reality of the organisation’s preparedness for protect against, and respond to, a cyber-incident.
In particular, the questions we have posed highlight areas of preparation that, if missing, may indicate that cyber-incident management is perceived as a purely operational and technical response, rather than an organisational risk and governance issue. A cyber-incident should be viewed as parallel investigation, remediation and liability assessments with the potential to identify governance and risk management failures.
Question 1: Do we have an Incident Response Plan?
This may appear like an obvious question and the answer may be “yes”. At which point, ask to be provided with a copy and move on to Question 2. However, the answer may surprisingly be “no” or, when reviewed, the plan details technical response processes and contains little information regarding the greater organisational response processes – executive and board escalation, regulator notification, public relations and internal communications, and importantly for these purposes, the undertaking of parallel investigations and evidence preservation. The remaining questions delve deeper into some aspects of this broader organisational response, but it is important to ensure that the broad framework is in place first.
Question 2: Do we have an Incident Communications Protocol?
An Incident Communications Protocol (ICP) is more than an emergency text alert to affected employees. An ICP should prepare the organisation to be able to appropriately communicate when its core systems are compromised. An ICP should prepare the organisation to be able to communicate when its core systems are compromised by using alternative communication channels (such as when email systems have been compromised) or by engaging vendors that host secure platforms.
An ICP should provide guidance for technical and incident response teams to be trained to communicate appropriate content during the incident and afterwards to ensure opinion, fact and action are appropriately recorded. Without an ICP, organisations are often left trying to text or call each other without clear organisation, and the contents of texts and emails subsequently create issues in downstream regulatory investigation or litigation.
Question 3: Do we have an Incident Privilege Protocol?
The use and application of legal professional privilege (LPP) is a critical issue that arises in every formal investigation into a cybersecurity incident. Confidential communications between a solicitor and a client for the dominant purpose of giving legal advice will be privileged. It is important to ensure that confidentiality is maintained and that the dominant or prevailing purpose is obtaining or giving advice. Ensuring your organisation has an established Incident Privilege Protocol (IPP) in place is an indicator that your organisation has considered the risk of downstream regulatory investigation and litigation, and has a mature understanding of the risk context. An IPP should include pre-defined roles and responsibilities of the organisation’s personnel, provide rules relating to the nature and content of documents and reports, and when the organisation should engage pre-identified service providers, including external legal advisers. Without an IPP, organisations face the risk of reports and documents that would otherwise have been privileged being discovered in subsequent regulatory investigation or litigation.
Question 4: Do we have a Ransomware Payment Policy?
Payment of ransom demands is by no means a straightforward decision. Aside from ethical considerations, organisations need to assess the legal and regulatory frameworks that they are subject to when doing so. Issues such as proceeds of crime, AML/CTF, and sanctions, as well as regulatory reporting requirements (should the ransomware reporting requirements be introduced into law in Australia), balanced against reputational risks, operational harm and potential risk to stakeholder safety, raise complex considerations.
A Ransomware Payment Policy formalises in advance these complex considerations and relieves the board and executive management of having to do so under the extreme pressures of a cyber-incident.
Conclusion
While failure to prepare in these areas may not affect the ability of the organisation to technically respond to the incident, the downstream litigation and regulatory engagement impacts can be significant. These are not silver bullet solutions, but the answers to these questions may be the proverbial canary in the coal mine that should cause directors to dig deeper into the organisation’s preparedness and cybersecurity risk management.