The perfect storm for cybersecurity threats
In its July 2020 Digital Trust Report, AustCyber estimated that a four week disruption to digital infrastructure caused by a major cyber attack would cost the Australian economy $30 billion (1.5% of GDP) and 163,000 lost jobs. This is a startling figure – an economic cost on the scale we have seen due to pandemic-related shutdowns over the last few months. It shows that cybersecurity is not an ‘add on’ or afterthought. Rather, it is a direct enabler of the digital economy that contributed $105 billion (5.5% of GDP) to the overall Australian economy in 2019-2020 alone. In the critical economic recovery period ahead, a strong and resilient cybersecurity framework is therefore essential as a first line defence system for every Australian business and the broader community and economy.
The scale and sophistication of cyber threats continues to expand, and highly organised criminal networks have taken advantage of the disruption caused by the pandemic to exploit weaknesses in the information technology and security systems and processes and internal risk controls used by organisations in both the public and private sectors. With many employees continuing to work from home where possible across multiple industries and businesses forced to pivot towards the online provision of goods and services and adapt to the enhanced use of digital technologies in their supply chains, the opportunity for ransomware attacks has never been so great. The world we now live in has presented a ‘perfect storm’ for cybersecurity threats.
Policy and regulatory developments
Following the widespread major state-sponsored cyber attack that targeted Australian governments, businesses, operators of critical infrastructure and essential service providers in June, the Australian Prime Minister announced a new Cyber Enhanced Situational Awareness and Response (CESAR) Package on 30 June.
The CESAR Package allocates $1.35 billion in new funding to support enhanced cyber detection and disruption efforts between the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) – focused on malicious websites and phishing schemes – as well as the development of new cybersecurity technology and 500 new jobs for cyber experts.
There is also a $62 million fund to support ‘national situational awareness’, intended to educate the Australian public and businesses about cyber threats and how to mitigate them.
And that aspect of the CESAR Package reflects the Australian Government’s ultimate vision for cybersecurity policy in Australia. While the Government can help to guide and support businesses to understand the scale of cyber threats and develop specific best practice compliance standards, the onus will then be on each individual business – and its directors – to develop enhanced cybersecurity capability, supported by appropriate expertise and the latest technology and software, to minimise the risk of significant business disruption, and harm to employees, customers and suppliers, caused by a cyber attack.
As the Australian Defence Minister noted last month, ‘it is vital that all Australian organisations are alert to cybersecurity threats and take steps to protect their own networks’. The expectation has been set that businesses cannot simply ‘free ride’ off Government investment in cyber capability.
Yet, to be able to do that, directors need to know the rules of the game. Currently, the regulatory framework for cybersecurity in Australia is haphazard, with no mandatory best practice minimum security standards for businesses and the implications for a cyber attack potentially extending to multiple breaches of corporations, privacy and criminal laws, as well as industry-specific financial, energy, health and telecommunications requirements. With separate regulators – each with their own distinct powers, functions, enforcement priorities and internal pressures – responsible for administering each of those requirements, the potential for inconsistency, red tape and confusion for directors is considerable.
The new cyber security strategy
On 6 August, the Prime Minister released Australia’s new 2020 Cyber Security Strategy, which serves as a ‘roadmap’ for future action on cyber threats and reveals the priority the Government has given to cyber policy and regulation in the coming years.
The Government will play the leading role in deterring and responding to sophisticated state-sponsored cyber attacks, while ensuring a baseline level of cyber resilience across the Australian economy, for example by enhancing the powers of the ASD to detect and disrupt malicious attacks and organised criminal activity and by developing ‘toolkits’ and cybersecurity training that SMEs can use to raise cybersecurity awareness.
However, the Government can only do so much. The Cyber Security Strategy is clear that businesses must ‘take responsibility for enhancing their own cybersecurity, just as they are responsible for the safety and quality of their products’. To that end, the Government intends to work closely with industry to develop new legislation and regulations setting out minimum standards and expectations for the security systems and expertise that every Australian business will be required to invest in. The new standards will first be introduced for providers of critical infrastructure of national significance – including health, electricity, transport and food producers and distributors – because of the human cost a large scale disruption to those essential services could have.
This will then be expanded to legislation and regulations that ‘set a minimum cyber security baseline across the economy’, with public consultation on the new standards to include reform options across privacy, consumer and data protection laws, as well as specific cybersecurity obligations for directors and other officers.
It is anticipated that some of the current voluntary guidelines issued by the ACSC – including recommendations for businesses to adopt data encryption, comprehensive firewalls, unique pass phrases, multi-factor authentication and secondary and tertiary control rooms – will be enhanced and made to apply on a mandatory basis. Further, it is possible that a standalone cybersecurity Act may be introduced, with regulatory oversight and enforcement given to the ACSC or a newly constituted regulatory body.
Having in place minimum standards under consolidated cybersecurity legislation, with enforcement implications if an entity falls short of those standards and with enforcement responsibility given to a dedicated cyber regulator, is an approach that has been adopted with great success by the United States Department of Home Security following the passage of the Cybersecurity and Infrastructure Security Agency Act of 2018 and the creation of a new specialist Cybersecurity and Infrastructure Security Agency. This has led to regulatory consistency and certainty and a stronger ‘cyber culture’ in the United States on a macro and micro level as businesses have been made more secure, resilient and effective.
Directors in all industries and sectors need to be alert to the enhanced cyber threats that extend right across their supply chains and impact on all aspects of their operations in an increasingly digitised business world. As the legislative and regulatory framework contemplated by the Cyber Security Strategy takes shape in coming months, directors will have the policy certainty they need and specific standards to benchmark their business’s cyber capability and performance against.
Directors must ensure that their businesses innovate to keep pace with the technology and resources that criminal networks are themselves putting into novel cyber attacks. Of course, a critical aspect of that is investment in appropriate technology expertise and new software, encryption and other digital solutions. But just as importantly, on a governance level, directors need to have cyber security as a standing item for proactive consideration at all board meetings, and they should request specific periodic briefings, at least two to three times per year, concentrating on key industry cybersecurity trends, regulatory requirements locally and internationally, modelling on how a cyber attack would impact the business, and the existing cyber capability of the business and avenues for improvement.
Cybersecurity should also be included as a distinct topic for risk committee investigation and reporting, and directors should ensure that a standalone cyber resilience framework and supporting cyber security program is developed. Those corporate governance tools should include regular risk assessments, monitoring and auditing for compliance and reporting purposes, as well as diligent cybersecurity training for staff, risk escalation processes and crisis management plans in the event a cyber attack infiltrates the existing protections used by the business. There should be a forward-thinking focus on prevention, not just risk detection and mitigation.
If directors fail to take these measures, they will risk substantial breaches of criminal, privacy and industry regulations (set to be consolidated as part of the Cyber Security Strategy), as well as their core duties to act with care, skill and diligence and in the best interests of the company. Indeed, the failure to protect a company against cyber threats, exposing it to regulatory breaches and class actions from customers, employees and others whose data is improperly accessed in a cyber attack, is itself sufficient to substantiate a breach of those duties.
And moreover, a cyber breach also exposes a company to significant reputational damage. That can hit the company’s bottom line hard in terms of revenue and lost community and industry standing – at the very time when the public is placing a higher premium on corporate trust, responsibility and accountability in shaping the decisions of employees, customers and investors.