Sharing cyber risk

Directors may feel isolated in their pursuit of cyber resilience. At-risk sectors could benefit from working together and sharing their experiences and defence strategies, writes Alice Williams FAICD.

I recently asked an ASX 200 company CEO if his industry shared information in regards to a major cybersecurity attack that severely impacted one of its major competitors. The response was that there was no sharing of information about the nature of the attack and the remediation efforts required.

Sharing cyber attack information is a complex issue. Companies tend to be reticent to publicly identify vulnerabilities in their systems, even with a limited group of technical experts in their field of expertise or industry. The infrastructure and systems industry participants use can vary widely — ranging from legacy systems to new forms of software or reliance on outsourced service providers. Additionally, company insurers tend to be uncomfortable with sharing information due to confidentiality clauses in insurance policies and concerns regarding the risk of exposing cyber hack playbooks.

However, the risks posed by an industry-wide cyber- attack far outweigh those posed by sharing information. Hackers tend to target vulnerable industries such as infrastructure, financial services, government entities and healthcare, where the potential impact can be extreme. Data breaches can generate valuable tradeable information on the dark web and ransom proceeds can be enticing to threat actors.

At-risk sectors

The most at-risk sectors continue to be critical infrastructure, financial services and energy. However, the breadth and diversity of industries covered is extreme. Some industries — such as a freight operator or an abattoir — probably never expected to be subject to a cyber-attack.

Attacks can often be undertaken simultaneously and comprehensively across an industry sector. In Australia, several sectors have formalised practices for sharing digital security risk and threat information with regulators. The Australian Prudential Regulation Authority (APRA) has issued CPG 234, a prudential practice guide covering regulated financial institutions. This outlines reporting requirements following any major incident and includes root cause analysis and remediation actions. However, it doesn’t require the institution to share this information with industry counterparts.

The superannuation sector is currently looking to establish a cyber resilience forum — a sensible approach given the size of the industry with over $3 trillion of funds under management.

Chartered accountant industry body CAANZ is exploring the establishment of a cybersecurity information service to support its many members with small practices, many without in-house cyber expertise. The CPA is establishing a cybersecurity hub to inform members of cyber risks.

Federal statutory bodies such as the Australian Signals Directorate, the Australian Cyber Security Centre and the Department of Home Affairs through the Critical Infrastructure Centre have a general mandate to protect individuals and businesses, but have not yet established industry-specific collaboration models. Progress is being made in the Critical Infrastructure and Systems of National Significance reforms being progressively introduced to manage critical infrastructure industry risks.

Established industry model

The aviation industry is well- versed in sharing information on technical vulnerabilities and safety matters. This practice involves the operators, manufacturers and the regulators working together from the time a safety incident occurs, through the investigation process to the timely dissemination of information to all operators covering root cause analysis through to a resolution of technical issues.

Cyber-attacks often occur due to similar contributing factors such as inadequate training, technical and human factors and the principles used by the aviation sector could be applied more broadly to cybersecurity matters across other industries.

It is in the national interest, and that of every industry, to seek to develop effective defences against cyber attacks. This needs to involve the sharing of information on the threat landscape, risk mitigation and response strategies. Industries should establish a secure channel or collaborative forums for members to share information across their community.

Alice Williams FAICD is a non-executive director of Djerriwarrh Investments, ProMedicus, Vocus Group and Mercer Investments. She is a former member of the Foreign Investment Review Board.