It’s hard to believe that there have only been 36 cyber security attacks reported against ASX-listed companies in the last decade, although it’s suspected that many breaches go unreported.
But what’s harder to believe is that of these 36 reported, only 11 properly reported the breach to the regulators before the media reported it. For the other 25, their share market investors heard of the breach over their morning coffee and not directly from the company in which they had invested. For these 25 companies, they were likely in breach — and not just cyber breach.
Research by Professor Alex Frino has shown that, in the wake of a successful cyber attack, a company’s market value drops by 5 per cent — working out to be an average loss of half a billion dollars. This would appear to be a material, and therefore disclosable, event to the market.
In the past, failure to report a cyber breach prior to telling the media might have been treated as more of an “oops” moment and a slap on the wrist from the regulators, but not anymore.
On Friday, 17 February, the Federal Court handed down its largest ever penalty for breaching continuous disclosure rules … fines of over $15 million for the company, and fines of up to $2 million and up to 15-year bans on managing companies for former directors of GetSwift. The recommended fines from the Australian Securities and Investments Commission (ASIC) were doubled by the Federal Court — signalling the seriousness of the repeated failures to disclose. Now, while the case of GetSwift involved 22 failures to disclose, with the increasing frequency and severity of cyber attacks, ASIC has made it clear that cyber will be an increasing area of focus. Disclosure is not their only point of focus either in the wake of ASIC v RI Advice Group Pt Ltd  FCA 496.
It’s easy to understand in the chaotic hours following the discovery of a cyber security attack on your business, that the minutiae of who needs to be told, and when, might slip the attention of the in-house legal team, executive, board, and comms team.
But, like preparations for a fire or other possible disaster, coming out of a cyber attack while minimising damage is not a matter of luck. It’s a matter of planning, preparation, and practice. What’s more, in the case of a cyber attack, it isn’t a possibility — it’s a guarantee that it will happen to you.
When. Not if.
So what should directors and executives be doing in response? These are just a few of the key questions you should be asking yourselves and your business teams:
Do you have an incident response plan?
If your answer to that question isn’t a confident “Yes and I’ve reviewed it, understand it, and we’ve practised it”, then the answer should be “No”.
For each of the 25 companies that were likely in breach, they could have avoided this with a good incident response plan with the business’s legal team as the first people to call.
A good incident response plan isn’t a technical document, written and held by the IT and security teams. It should also be an executive-level, risk management control that outlines the roles and responsibilities of all the key players — which must include legal, the board, and the C-suite.
A good incident response plan must have legal at the top of the phone tree when a cyber breach is discovered. Legal must be involved with the investigation, commission of any reports, and be at the table when the board or executive is making decisions. Legal will be responsible for helping to protect legal privilege, ensuring regulatory reporting obligations are met, the legal “recovery” and potentially defending future claims. This job will become impossible if legal is excluded from (or only partially consulted on) the response. If you think you will need expert legal and technical help (and unless your in-house legal are cyber security experts, you will), then get it on retainer before you need it.
Do you know what data your business collects, holds — and where its kept (e.g. which system)?
When the chief information security officer (CISO) says, “we’ve been hacked”, the responsible executives need to understand what that means in terms of regulatory reporting. This will depend on what data your business holds, which systems it’s in, and how they have been compromised (e.g. the type of the attack — encrypted systems or stolen data).
With only 30 days under the Privacy Act to assess and notify whether a breach is likely to cause serious harm, you won’t have time to do a data finding and classification exercise as well. You should know already what type of data is held where, and as a legal and risk management responsibility, you should ask how it’s secured.
How secure is your supply chain?
Do you know how secure your suppliers are? Sure, they are required to meet certain security standards — but has anyone ever checked if they actually meet them? What will you do if they don’t? Can you take any action under their contracts?
In ASIC v RI Advice, Her Honour Justice Helen Rofe stated: “It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”
In the past, “adequate” and “acceptable levels” were a much lower threshold in the eyes of the regulators and courts. Today, in the wake of Optus and Medibank and the new regulatory changes, what will be considered an “acceptable level”, especially for regulated companies, is much, much higher.
Boards and executives should be getting support in the preparation for the inevitable cyber attack, and that support doesn’t just involve the chief information officer and the CISO. In-house legal teams must also get specialist advice if they don’t have cyber skills themselves, supporting the executive with incident response planning, reviewing supply chain terms, customer terms, policies etc., getting their team trained up, and making sure they and their business are prepared for what is to come.