In its July 2020 Digital Trust Report, AustCyber estimated that a four week disruption to digital infrastructure caused by a major cyber attack would cost the Australian economy $30 billion (1.5% of GDP) and 163,000 lost jobs. This is a startling figure—an economic cost on the scale we have seen due to pandemic-related shutdowns over the last few months. It shows that cybersecurity is not an ‘add on’ or afterthought. Rather, it is a direct enabler of the digital economy that contributed $105 billion (5.5% of GDP) to the overall Australian economy in 2019-2020 alone. In the critical economic recovery period ahead, a strong and resilient cybersecurity framework is essential as a first line defence system for every business and the broader community and economy.
The scale and sophistication of cyber threats continues to expand, and highly organised criminal networks have taken advantage of the disruption caused by the pandemic to exploit weaknesses in the information technology and security systems and internal risk controls used by organisations in both the public and private sectors. With many employees continuing to work from home where possible across multiple industries and businesses forced to pivot towards the online provision of goods and services, the opportunity for ransomware attacks has never been so great.
Policy and Regulatory Developments
Following the widespread major state-sponsored cyber attack that targeted Australian governments, businesses, operators of critical infrastructure and essential service providers in June, the Australian Prime Minister announced a new Cyber Enhanced Situational Awareness and Response (CESAR) Package on 30 June.
The CESAR Package allocates $1.35 billion in new funding to support enhanced cyber detection and disruption efforts between the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) as well as the development of new cybersecurity technology and 500 new jobs for cyber experts.
There is also a $62 million fund to support ‘national situational awareness’, intended to educate the Australian public and businesses about cyber threats and how to mitigate them.
On 6 August, the Prime Minister released Australia’s new 2020 Cyber Security Strategy. The Government will play the leading role in deterring and responding to sophisticated state-sponsored cyber attacks, while ensuring a baseline level of cyber resilience across the Australian economy, for example by enhancing the powers of the ASD to detect and disrupt malicious attacks and organised criminal activity and by developing ‘toolkits’ and cybersecurity training that SMEs can use to raise cybersecurity awareness.
However, the Government can only do so much. The Cyber Security Strategy is clear that businesses must ‘take responsibility for enhancing their own cybersecurity, just as they are responsible for the safety and quality of their products’. To that end, the Government intends to work closely with industry to develop new legislation and regulations setting out minimum standards and expectations for the security systems and expertise that every Australian business will be required to invest in.
It is anticipated that some of the current voluntary guidelines issued by the ACSC—including recommendations for businesses to adopt data encryption, comprehensive firewalls, unique pass phrases, multi-factor authentication and secondary and tertiary control rooms—will be enhanced and made to apply on a mandatory basis. Further, it is possible that a standalone cybersecurity Act may be introduced.
Having in place minimum standards under consolidated cybersecurity legislation, with enforcement implications if an entity falls short of those standards and with enforcement responsibility given to a dedicated cyber regulator, is an approach that has been adopted with great success by the United States Department of Home Security following the passage of the Cybersecurity and Infrastructure Security Agency Act of 2018. This has led to regulatory consistency and certainty and a stronger ‘cyber culture’ in the United States on a macro and micro level as businesses have been made more secure, resilient and effective.
Directors in all industries and sectors need to be alert to the enhanced cyber threats that extend right across their supply chains and impact on all aspects of their operations in an increasingly digitised business world. As the legislative and regulatory framework contemplated by the Cyber Security Strategy takes shape in coming months, directors will have the policy certainty they need and specific standards to benchmark their business’s cyber capability and performance against.
Directors must ensure that their businesses innovate to keep pace with the technology and resources that criminal networks are themselves putting into novel cyber attacks. Of course, a critical aspect of that is investment in appropriate technology expertise and new software, encryption and other digital solutions. But just as importantly, on a governance level, directors need to have cyber security as a standing item for proactive consideration at all board meetings, and they should request specific periodic briefings concentrating on key industry cybersecurity trends, modelling on how a cyber attack would impact the business, and the existing cyber capability of the business.
Cybersecurity should also be included as a distinct topic for risk committee investigation and reporting, and directors should ensure that a standalone cyber resilience framework and supporting cyber security program is developed. Those corporate governance tools should include regular risk assessments, monitoring and auditing for compliance and reporting purposes, as well as diligent cybersecurity training for staff, risk escalation processes and crisis management plans. There should be a forward-thinking focus on prevention, not just risk detection and mitigation.
If directors fail to take these measures, they will risk substantial breaches of criminal, privacy and industry regulations (set to be consolidated as part of the Cyber Security Strategy), as well as their core duties to act with care, skill and diligence and in the best interests of the company. Indeed, the failure to protect a company against cyber threats, exposing it to regulatory breaches and class actions from customers, employees and others whose data is improperly accessed in a cyber attack, is itself sufficient to substantiate a breach of those duties. This is an argument now being actively pursued by the Australian Securities and Investments Commission in a new Federal Court proceeding commenced against RI Advice Group on 21 August 2020.
Scott Atkins is Partner, Deputy Chair and Head of Risk Advisory, Norton Rose Fulbright.
Dr Kai Luck is Executive Counsel and Director of Strategic Insights, Norton Rose Fulbright.