In the face of rapidly increasing and widespread cyber threats, directors need to be acutely aware of the issues, duties, third party vulnerabilities, insurance and the need to upskill board and management expertise.
Cyber risk is an existential concern for almost every organisation today. The scale and growth of the risks has seen cybersecurity become a topic of urgency that’s concerning governments and businesses across an increasingly interconnected, digitised world.
It has seen the emergence of the likes of Australian Sovereign Cloud (AUCloud), an infrastructure-as-a-service (IaaS) provider focused on helping federal, state and local governments, and critical national industries with cloud deployments.
“Our whole business is based on risk,” says AUCloud chair Cathie Reid AM MAICD.
The serial healthcare entrepreneur is a director of the Brisbane Lions Football Club and deputy chair of the Department of Home Affairs’ Australian Cyber Security Industry Advisory Committee, led by Telstra CEO Andrew Penn. Reid unashamedly describes herself as a “cyber nerd”.
AUCloud, which specialises in “keeping the data of Australians in Australia” listed on the ASX in December 2020. Landing a contract earlier this year to provide threat-monitoring services to the Australian Electoral Commission (AEC) for the next federal election was a coup “that obviously puts you on the radar in quite a significant way,” says Reid.
Further details of the services AUCloud will provide to the AEC over the three-year term of its contract are under wraps.
The pressure is on Australian company directors to prioritise cybersecurity as proposed legislative changes loom and the cyber threat is driven by a vast array of nation-state and criminal actors.
What's currently particularly concerning for directors are a number of ransomware attacks that have exposed the vulnerabilities of organisations across the globe. In March, US insurer CNA Financial made the largest known ransom payment to date at US$40m. In May, JBS Foods, the world’s largest meat supplier, had global production halted, impacting its 47 facilities in Australia. In a statement on 9 June, the company said it had paid US$11m to the attackers.
As the modus operandi of cyber criminals changes fast, the list of Australian organisations reporting cyber attacks is increasing. Standouts in 2020 were Toll, Lion, BlueScope, Downer, and Service NSW. This year has seen a spate of high-profile cyber events at Parliament House in Canberra, Nine Entertainment, Eastern Health, Taylors Wines, RMIT and ANU, to name a few.
There’s a lack of visibility and transparency around cybercrime and its impact, not least because fear of reputational damage stops many organisations from disclosing they have been the victim of an attack. Against this backdrop, the Cyber Security Strategy landed in mid-2020, with a $1.67b spend to sharpen defence and build awareness among all Australians. It placed a heavy onus on business to play its part in defence and building capabilities.
The federal government puts directors in the hot seat with proposed changes in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill), which introduce mandatory cybersecurity incident reporting and enhanced cybersecurity obligations for “systems of national significance”. The bill substantially expands the definition of critical infrastructure from electricity, gas, water and ports to 11 new sectors — communications; financial services and markets; data storage or processing; defence industry; higher education and research; energy; food and grocery; healthcare and medical; space technology; transport; and water and sewerage.
The proposed legislation requires those responsible for critical infrastructure assets to adopt and maintain a risk management program.
Boards will be responsible for signing off on risk management programs and, in some instances, must provide ownership and operational information to a new infrastructure assets register. Controversially, the proposed legislation gives the government last- resort powers to step in and respond to significant cyber attacks on critical infrastructure, a move loudly questioned by big tech players Amazon Web Services, Cisco, Microsoft and Salesforce.
A significant aspect of the SOCI Bill are new wide-ranging government powers to intervene in the event of a cyber incident. The powers would be used in emergency circumstances and allow the Secretary of Home Affairs, upon approval by the minister, to direct an entity to take a particular action. This could include directing an entity to shutdown a service. The breadth of the directions provisions is considerable and may result in instances where complying with a direction could present a conflict with existing director duties.
The AICD has written to the government to recommend that the proposed immunity provisions in the SOCI Bill are broadened to ensure directors of impacted entities are protected. Comprehensive immunity will provide comfort to senior decision- makers of entities, including directors, that there is appropriate protection if complying with an obligation or direction under the SOCI Act results in a conflict with other duties.
We want people to manage cyber as a business risk, rather than be obliged to tick a box.
There’s a massive task ahead. At the epicentre of government action is the Australian Cyber Security Centre (ACSC), based at ASIO headquarters in Canberra, as part of the Australian Signals Directorate (ASD). The ASD is responsible for leading the Australian government’s organisational response, overseeing national operations, receiving reports on and raising awareness of cyber threats.
Running partnership programs for business — including Joint Cyber Security Centres (JCSCs) to engage in collaborative capability-raising activities — and issuing alerts on threats, the ACSC cleaves to a baseline set of mitigation strategies known as the “Essential Eight”. The framework focuses on technical controls for business. Industry players claim they overlook the rapidly increasing relevance of other aspects crucial for cybersecurity, such as risks from third-party supply chains and cloud services, the necessity for organisational and cultural change, and awareness.
Cybersecurity industry group the Australian Information Security Association (AISA), says this perpetuates the concept that cybersecurity is an IT problem as opposed to a business risk problem. AISA is calling for a framework similar to the Australian Prudential Regulation Authority’s standard CPS 234: Information Security, which has taken a principles- driven approach to measures for banks, insurers and superannuation funds, allowing them time to build resilience. “We want people to manage cyber as a business risk, rather than be obliged to tick the compliance box, which won’t move the needle,” says AISA president Damien Manuel GAICD. “Principles help companies to start thinking about cybersecurity and uplift their practices over time.”
There is an obligation on all directors under existing duties to act with care and diligence to focus on cybersecurity, understand the threat landscape and ensure that it’s part of board conversations, says Reid. She reports a wealth of diverse views on increasing directors’ duties among the members of the Cyber Security Industry Advisory Committee.
There were concerns in the director community that further responsibilities for directors of large organisations (beyond critical infrastructure) after a Department of Home Affairs discussion paper — Australia's cyber security regulations — was released as part of the national strategy. Feedback on the paper closed at the end of August.
Although earlier communications from the Department of Home Affairs indicated the possible introduction of a specific legislative duty for directors to manage cyber risks, the government moved away from this proposal in its recent discussion paper.
Company directors are expected to watch the cyber risk space as part of their existing duties under the Corporation Acts 2001 (Cth).
Reid is concerned it would otherwise deliver another potential risk if liabilities become a deterrent for directors and further diminishes the director talent pool. Her preferred approach is to provide directors with opportunities to upskill and ensure they are appropriately resourced for the additional responsibilities. There’s a shortage of direct cyber voices on boards, she says. Cyber expertise — via CIOs, CISOs or the head of IT reporting through a CFO — is typically one or two steps removed. Ideally, in today’s climate, there should be more than one token cyber director.
In responding to the government's recent consultation, the AICD strongly cautioned against imposition of an additional cyber duty — given the potential for duplication with existing directors' duties.
Directors are definitely in new territory with cyber risk, asserts Rachael Falk MAICD, CEO of the Australian Cyber Security Cooperative Research Centre, and also a member of the Cyber Security Industry Advisory Committee.
“The risks are asymmetrical,” she says. “They aren’t like any other risk a board faces. Directors can’t control this risk. It comes at them and the attacker will always have the advantage. If you are a company that is data-rich and has lots of targets, you can expect constant attempts to steal that data. As a board member, you may be the most upstanding individual, but you need to think like a cybercriminal.”
Falk co-authored a report on ransomware, the insidious easy-money grab now plaguing organisations. Originally involving attackers simply encrypting sensitive data and locking systems, it has evolved to exfiltrating and threatening to publish that data. Among the report’s recommendations is the need for clear policy around the legality of ransomware payments and increased transparency around attacks — along with the adoption of a mandatory reporting regime.
Organisations in the sectors impacted by the SOCI Bill need to raise their security posture, says Falk, but they need to be realistic. “Boards should not expect management to play Whack-A-Mole and get every single threat. You’ll never be on top of the risk, you’ll just effectively manage it.”
The proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill) expands the Security of Critical Infrastructure Act 2018 (SOCI Act) to cover more sectors and introduce new reporting/compliance obligations.
As well as increasing the obligations on business organisations, the SOCI Bill expands Commonwealth powers to gather information and respond to cybersecurity incidents. These powers include measures the government may take to help organisations in critical infrastructure sectors respond to cyberattacks. The bill is currently before the House of Representatives.
With the proposed changes in the SOCI Bill, third-party liability is one of the areas where large organisations will become liable — with responsibility for ensuring suppliers are compliant with minimal cybersecurity standards.
“We’ve seen third-party suppliers become the weak links,” says Falk. “For example, managed service providers — outsourced IT providers — are the soft underbelly of organisations because they have the keys to the kingdom. They know everything about your organisation including changed passwords. They are a vital part of the cyber ecosystem, a large number are SMEs, and they will need a minimum cybersecurity standard to play. So it’s really important we focus on uplifting the lifeblood of the Australian economy.”
Nine years ago, when Falk worked at Telstra, suppliers were given a minimum set of standards to meet, and she expects a similar outcome here. Perhaps not before time. Cyber exporters claim the most sophisticated threat actors are now frequently compromising poorly secured domains of Australian SMEs on their way to infiltrating higher-value targets.
High-profile hacks such as that on IT provider SolarWinds — which in 2020 suffered one of the largest supply chain attacks ever, impacting the US government, technology, healthcare, research and extractive sectors across four regions globally — highlight the importance for businesses to seek assurances from third parties, concurs Reid who knows the territory from her healthcare experience. There is no quick-fix solution.
“It’s risk management 101," she says. "It’s about understanding who your partners are and what vulnerabilities can be introduced into the system by the access they require... mapping your business to identify potential vulnerability points. And it needs to be baked into procurement processes, as well.”
Boards should not expect management to play Whack-A-Mole and get every single threat. You’ll never be on top of the risk, you’ll just effectively manage it.
Insurance alone not the answer
The sobering fact for many in this time of heightened cyber anxiety is that insurance, the standard tool for managing risk, is in a state of flux. Cyber insurance premiums are soaring by an average of 70 per cent — and as much as 500 per cent — over the past year, according to global insurance brokers, Marsh. General business insurance policies are also excluding cover for cyber-related risks such as loss of data.
“Given the large-scale losses that have come in, it’s become harder and harder [for organisations] to have cyber insurance,” explains Kelly Butler, managing director and Pacific cyber practice leader at Marsh. She says insurers modelled around frequency of attacks, but failed to see the severity or the potential scope for losses.
Butler runs through a list of costly events that follow a cyber attack — triage, understanding what’s missing, where attackers are in the system and the damage done. “Then there’s the business interruption and income losses, the reputational harm, third-party liability... Insurers are grappling with their strategy,” she says, adding many have stepped back to consider corrective action — from premium hikes and coverage to limiting capacity for any one risk and increasing excesses.
Already a member?
Login to view this content