Cyber resilience: The role of general counsel - Corporate Governance

The digital economy is key to Australia's future.

The Government is focussed on transforming Australia from its reliance on the resource sector to a new service-led economy, based on intellectual capital. This comes as Australian businesses are continually increasing their investment in digital technologies.

With the advent of the digital economy, the risks that come with a cyber-attack run through every part of an organisation. Australia simply cannot succeed in this new digital world if our organisations are not cyber resilient.

A free and open internet has been critical in driving the digital economy. However, an open internet has brought new challenges for organisations that are now required to protect themselves from a perpetual threat of a cyber-attack. It is ironic that the internet's origins can be traced back to the US military. An organisation preoccupied with defence, gave birth to an eco-system that has developed with security as an afterthought.

Increasingly, a business' value is tied up in its intellectual property assets, including data. This is particularly true for organisations that operate online or in the service and retail sector. The value of these new economy businesses consist largely of software, databases, brand and customer loyalty. A cyber-attack can cripple a business so dependent on the internet for its operations.

Cyber resilience is just as important for businesses with traditional models. For example, mining and construction companies are increasingly connected to the internet as plant and machinery is switched on to the Internet of Things (IoT). IoT connected devices have the capacity to autonomously input, communicate, analyse and act upon information. While IoT technology increases productivity and control, it will also bring new challenges for businesses that have not previously had to consider cyber security as a significant risk.

It's estimated that in Australia, cyber-attacks affect five million people and cost over $1 billion each year. These numbers are increasing. The Ponemon Institute 2016 report revealed that on average a cyber breach costs a business $4 million. But the long-term damage could run into many multiples of that.

The Australian Cyber Security Centre's survey of large businesses and government agencies show that 90% of organisations faced some form of attempted or successful cyber security compromise during the 2015-16 financial year. Indeed, there have been a recent string of high-profile cyber-attacks against Australian and global organisations. This includes the e-Census distributed denial of service attack and the hacks of Bureau of Meteorology, Ashley Maddison and Target. One of the most costly attacks was the hack of Yahoo. Shortly after Verizon announced its US $4.83 billion acquisition of the firm, Yahoo revealed that years earlier it had been subject to a massive cyber-attack causing the privacy of more than one billion accounts to be breached. This resulted in the re-opening of negotiations and ultimately Yahoo agreed to drop the purchase price on the deal by US $350 million.

Some Australian businesses have recognised the threat and have invested heavily in cyber resilience. However, these organisations are probably in the minority. Many organisations still treat cyber security as an afterthought.

A CYBER RESILIENCE FRAMEWORK

Many businesses struggle to get the basics right on cyber security. While the IT department will implement technical safeguards in the hope that hackers won't get in, it's impossible to protect everything.

Most cyber incidents occur as a result of poor governance and a lack of employee training. Businesses need to develop a cyber resilience framework and train staff to meet agreed standards. The ASIC report (REP 429 Cyber resilience: Health Check) into cyber resilience calls for greater Board involvement in cyber security planning. ASIC recommends the Board drive the development of this framework and involve all parts of the business including legal, marketing, commercial and IT.

The cyber resilience framework should be based on recognised security standards such as ISO/IEC 27001 and 27002, CBEST (a vulnerability testing framework prepared by the Bank of England) and NIST (cyber standards prepared by the US Department of Commerce). Best practice requires that the framework take a threat-based approach and identify which assets matter most to the business and what is most likely to be targeted.

Often, third party suppliers hold sensitive data and operate critical systems but are not considered in a business' cyber resilience framework. These third party suppliers can be the weak link in a company. It is not good enough to just rely on a contractual clause that passes liability onto a supplier. Businesses should be continuously identifying key suppliers and ensuring they fit within their cyber security framework.

The Board or Risk Committee should be responsible for reviewing and monitoring the implementation and performance of the cyber resilience framework. This oversight ensures that cyber incidents are not covered up or incident responses siloed in the IT department. It is alarming that 80% of IT department staff said in response to a recent survey that they frequently fail to communicate with management about suspected cyber-attacks.

Boards and senior management need to increase their involvement. ASIC has reported that only a third of all Boards were involved in reviewing security and privacy risks. This is concerning given that Board involvement, training and incident response plans are a proven means of reducing the cost of a breach.

DEALING WITH REGULATORS

The OAIC, ASIC, APRA and the ASX are taking a close interest in how organisations plan and respond to cyber threats. It is OAIC's primary duty to ensure strict standards on how organisations collect and store their customers' personal information. From February 2018, OAIC regulated entities will be required to carry out investigations of a cyber breach in 30 days and notify affected individuals and the Privacy Commissioner as soon as practicable after they become aware of a serious data breach. This timeframe is concerning given that the Ponemon Institute 2016 report found that the average time to detect a breach is 201 days and the average time to contain a breach is 70 days.

Interestingly, foreign regulators have become increasingly aggressive on cyber security. The EU recently adopted new data protection regulations which are enforced by penalties of up to €20 million or 4% of annual turnover. The EU has also introduced a new directive that requires the operators of essential services to implement measures to ensure the security of their networks and systems. New York State recently passed new cyber legislation targeted at the financial services sector which requires each firm to develop and implement a cyber security framework. Given this international trend, it would not be surprising to see the Australian Government adopt a similar approach to regulating cyber security if the business community fails to take steps to make their organisations cyber resilient.

ROLE OF THE GENERAL COUNSEL

Too often businesses only involve lawyers as a reactive measure to a data breach. However, General Counsel should be an integral part of the proactive plan to prevent, prepare and respond to a cyber-attack.

At a minimum lawyers will be required to:

advise directors of their duties with respect of cyber security;
deal with regulators such as OAIC, ASIC, APRA and ASX in respect of a cyber-attack or regulatory breach;
ensure that post breach investigations are legally privileged;
deal with contractual claims and possible class actions in the event of a cyber breach;
manage the relationship with IT suppliers and review supply contracts for appropriate cyber security arrangements;
review insurance policies for cyber coverage; and
conduct due diligence for cyber issues in M&A.

As risk professionals, lawyers need to play a key role in making their organisation cyber resilient. The General Counsel is a critical stakeholder tasked with assessing and mitigating cyber risk – whether it be as a legal advisor, member of the Risk Committee or as a member of the Board. General Counsel are also skilled in developing and applying governance models, managing suppliers and identifying and protecting an organisation's critical intellectual property assets.

General Counsel have a key role to play in assisting their organisation and Boards to put in place the governance framework to make them cyber resilient and thrive in the digital economy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.