Mitigating the risks of exposure to cyberattacks

16 March 2023 Consultancy.com.au

In the run-up to next week’s Australian Cyber Conference, Hicksons partner Persia Navidi – who will be presenting at the three-day event in Canberra – outlines why cyber security and privacy should by now be top of mind for executives and the current state of play.

In years to come, many Australian business leaders are likely to remember 2022 in thewords of Minister for Home Affairs Clare O’Neil—a ‘national wake-up call’ on the dangers posed by cyber-attacks.

A number of significant breaches impacting millions of Australians, including those suffered by Optus and Medibank, shone an uncomfortably bright spotlight on the myriad of risks faced by those leading companies – particularly company directors.

Persia Navidi, Partner, Hicksons

Looking to the future, the Department of Home Affairs’ 2023-2030 Australian Cyber Security Strategy Discussion Paper posed the question: should the obligations of company directors specifically address cyber security risks and consequences?

While consensus on the answer to that question may remain to be seen, one thing is clear: in the coming years, company directors will need to be able to navigate cyber risk in this turbulent climate, respond to near inevitable cyber-breaches, and comply with more rigorous cyber regulation – such as the recently proposed legislative reforms to the Privacy Act 1988 (Privacy Act), which will impact businesses and their boards.

The risks

Let’s take a look at the current state of play when it comes to cyber risk in Australia. Cyber breaches, once rare ‘black swan’ events, have become a painful but frequent part ofmodern life – almost every day, another data breach or cyber incident appears in thenews.

Unless you’ve been living under a rock, you’re most likely aware of the stratospheric increase in cyber risk faced every day by Australian businesses, and the consequential threats of financial loss, business interruption, and reputational damage.

In Medibank’s case, $1.7 billion in shares were wiped off the market following the leak ofits customer’s data. According to the Australian Cyber Security Centre, cybercrime was reported every 7 minutes in Australia in the 2021/2022 financial year.

Mitigating the risks

So, how can company directors and executives effectively manage and mitigate a risk such as cyber security that frequently mutates and evolves?

The first step for all business leaders – whether at board or executive level – is to resist the temptations of holding an ‘it won’t happen to us’ mentality. Cyber-attacks can impact any company, even those with stringent cyber security measures in place, so being prepared is paramount – and being caught out unprepared is unlikely to be forgiven (or forgotten) if a cyber-attack lands on your doorstep.

Directors and executives must stay across the relevant legislative changes, as well as likely changes on the horizon. Amendments to legislation late in 2022 led to increased penalties for data breaches and mandatory reporting of cyber breaches for critical infrastructure and NSW public sector agencies.

The federal government is currently seeking feedback for its response to the Privacy Act Review Report released by the Attorney-General in February 2023, which includes 116 proposals for reform that, if adopted, would catalyse significant change in how companies protect data and privacy in the digital age, see the potential removal of the small business (and other) exemptions that currently exist under the Privacy Act, and increase the rights of the individual in protecting their data.

Executives and directors must prepare and practice the company’s incident response management plan for cyber-attacks. The manner in which an organisation immediately responds to a cyber incident is crucial, and companies must be ready to act swiftly to contain the impact, minimise business interruption and to comply with their legal obligations.

The time taken to identify and respond to a breach remains significant – IBM’s 2022 Cost of a Data Breach report found an average time to identify and contain a breach of 277 days.

Another pivotal part of an organisation’s risk management framework is insurance. Has theorganisation arranged appropriate insurance coverage that would respond to the costs associated with a cyber-attack? Would incident response and business interruption costs be covered? What about board directors, would they be covered under their directors and officers insurance policy for claims arising from cyber incidents?

Insurance is an important part of any company’s risk transfer and is a factor in overall cyber risk management and therefore requires close consideration. Reviewing and considering the specific wording of the insurance policies held by an organisation is critical to ensuring appropriate management of cyber risk.

Directors and executives must understand that cyber risk is a core business risk – a real, constantly evolving, threat. Long gone are the days when it sat isolated (and often neglected) within the IT pillar of the business; in a time of growing cybercrime and widespread geopolitical insecurity, cyber risk management must be a key agenda item, frequently revisited to ensure constantly advancing benchmarks of cyber security are being met.

Further reading: Cybersecurity is an organization-wide responsibility.

Finally, it is generally accepted that cyber security risk cannot be reduced to zero, but reasonable steps can be taken to greatly minimise the risk. There is also a need for greater collaboration between business leaders and government, as well as the wider community, to advocate for and to protect organisations and Australians from cybercrime.

While increased penalties can act as deterrents for organisation to be on the front foot, the onus cannot solely be put on organisations when breaches occur, as they too are thevictims of the breach.

The case for acting now

Building strong cyber resilience requires leadership, adequate resources, time and commitment, but it will likely be a determining factor in the overall success of many businesses in the years to come. If in doubt, ask yourself: what is our data and reputation worth to the business? Then, allowing only a brief pause for your head to reel, act accordingly.