Are your Directors & Officers prepped for Cyber Breaches?
A cyber attack happened once every eight minutes in Australia in 2020-21, compared with once every 10 minutes in the previous financial year. No sector in the economy was immune, according to reports made to the Australian Cyber Security Centre, but because these are only reported breaches, the real rate is much higher.
The centre listed key trends as:
Malicious actors exploiting the pandemic environment
Critical infrastructure and essential services targeted
Ransomware growing in profile and impact
Hackers rapidly exploiting security vulnerabilities as soon as they were publicly disclosed
Compromised business email and supply chains.
Increasingly, cybercriminals are directly targeting top executives through direct emails with threats and ransom demands, or accessing their inboxes, files, and computers to extort or blackmail them.
The total cost of a data breach is getting heftier. It was $2.82M in Australia last year, up from $2.15M the year before, says IBM.
How up-to-date are your company's directors and officers about digital security to give you confidence policies and processes will minimise the risks associated with a data breach?
The growing pressure of cyber on D&O
As a result of these breaches, company directors and officers are facing greater regulatory oversight to disclose cyber security issues. They must ensure they have appropriate cyber security measures in place to protect their company's digital assets. Failing to do so when a data breach occurs risks shareholder derivative action or a shareholder suit against D&Os for breaching their fiduciary duty.
What's the government doing about it?
The Federal Government released its Ransomware Action Plan last October, which introduces a criminal offence for cyber extortion – here's a link to federal laws that cyber criminals face. However, under the plan, the government will mandate that companies with a $10M-plus turnover report ransomware incidents, and has indicated it will increase regulatory oversight, according to law firm Corrs Chambers Westgarth. Paying a ransom may be a criminal offence, and even though there are defences, there's a lot of uncertainty.
As well, the government has set up a new Australian Federal Police-led multi-agency taskforce ‘Operation Orcus' operation to target ransomware attacks linked to organised crime groups operating here and overseas. The Federal Department of Home Affairs has also set up the Cyber and Infrastructure Security Centre to actively deal with regulatory moves and partnerships to protect our nation's critical infrastructure. You can find a comprehensive register of those asset classes here, plus obligations for responsible entity holders or direct interest holders.
The government's Cyber Security Industry Advisory Committee has issued Locked Out: Tackling Australia's ransomware threat, which advises businesses to:
Practice good cyber security hygiene, including following the Australian Cyber Security Centre's essential eight
Have multi-factor authentication for email security
Keep software up to date
Continuously train employees about the risks and how to manage them
Regularly back up your data
Archive data more than 15 months old to reduce the amount of data that could be impacted.
That presumes a high level of cyber expertise and risk management at board and officers' fingertips.
What are your D&O responsibilities?
For D&Os, managing cyber risks is a core governance issue that comes under a duty of care and diligence, Section 180(1) of the Corporations Act, according to professional services consultancy PwC. However, there haven't been any significant Australia cases or regulatory prosecutions of D&Os concerning ransomware attacks or preparedness … yet.
Boards should be actively engaged in managing cyber risks, and can look to ASIC for cyber guidance. They cover 11 good practices, including:
Board engagement
Responsive governance
Cyber risk management and threat assessment, including reporting notifiable data breaches
Third-party risk management
Collaboration and information sharing
Asset management
Cyber awareness and training
Protective measures and controls
Detection systems and processes
Response planning (critical infrastructure and data protection system)
Recovery planning.
It's worth pointing out that businesses should have appropriate contracts and processes in place to make sure their suppliers, service providers and sub-contractors also meet cyber security requirements.
Don't overlook cyber insurance
You might assume your existing directors' and officers' liability insurance should cover you for cyber risks, but please check with us for peace of mind. For example, the D&O policy may or may not include:
Investigation costs
Insured individuals to cover all people involved in significant cyber-related decisions and implementation on the company's behalf
Investigation of the cyber incident when you're expecting it to go to court
How joint costs – between D&Os individually and the entity – should be appropriately allocated
Shareholder actions following a cyber incident
Costs directors incur to minimise reputational injury from a cyber breach.
Cyber risk or cyber liability insurance can cover costs, liabilities and losses resulting from a cyber incident in your company. But generally, cyber liability insurance won't cover all of the costs you incur, such as salary costs for your staff, uninsurable fines, or damage to property other than computer hardware.
While the good news is you can minimise your cyber security risk profile with the above strategies and tailored insurance. Our advice is that premiums will rise in the next two years. The more you tighten your internal processes to manage your cyber risks, the stronger your application will be for a new policy or a renewal to earn you more favourable terms.