There is a “vital need” for a Cyber Panel to be established, Ashurst partner and head of legal governance advisory Robert Hanley and Ashurst director of risk advisory John Macpherson argued.

The establishment of such a specialist panel, akin to the Australian Takeovers Panel, should focus on resolving and advising on cyber security incidents, be able to respond urgently to cyber issues and disputes, and offer industry guidance and support, the pair submitted.

There is a “pressing need” for this panel, said Mr Hanley.

“Cyber security is a highly specialised and technical area which is developing quickly and managing cyber risk has never been so important. In April this year, the Australian government urgently advised organisations to adopt an enhanced cyber security posture,” he advised.

“They warned of a heightened cyber threat environment globally and an increased risk of cyber-attacks on Australian networks, either directly or inadvertently.”

Mr Macpherson supported this, pointing out that, last year, an Australian organisation suffered a cyber attack every 11 seconds, costing the local economy an estimated $42 billion per year.

Cyber criminals, he outlined, have been able to profit from successful attacks, they continued to invest in technologies, artificial intelligence and machine learning, enabling them to grow in sophistication and improve their capabilities to undermine the cyber defences that both governments and corporate organisations put in their way.

VIEW ALL

Mr Hanley added: “Cyber security has now become a national security and corporate imperative. Business needs to be aware of and actively manage the risks. Leaders need to continue to mature and evolve their understanding and governance of, and investment in, cyber risk management and enforcement.

“But more must be done to assist companies and their directors. That’s where a Cyber Panel could be so useful.”

What could a Cyber Panel look like

A Cyber Panel could, Mr Hanley suggested, be a peer review body made up of part-time members such as technology and cyber specialists, lawyers, leading business people as well as government appointees.

“Such a body would bring specialist technical and market knowledge to the table,” he hypothesised.

“A Cyber Panel could be convened urgently to advise on ransomware attacks but it isn’t only about ransomware — the panel could cover cyber compliance, cyber breaches, cyber security standards and governance for cyber security vendors, technology and third party services and cyber disputes resolution.

“A Cyber Panel could advise companies on whether payment of a ransom following a cyber-attack is legal or illegal, and whether there is any operational or economic imperative to pay. Such advice could consistently provide limits and constraints on the current over-willingness to pay.

“A Cyber Panel may also have a role to play in developing and augmenting enforceable cyber security standards. If standards are indeed legislated — and if directors whose companies have achieved the required standard have some protection through ‘safe harbour’ provisions or general law — the Cyber Panel could be approached where the standards are not clear or where there is a need for a determination of what is required, and indeed meant, by the standards.”

And, Mr Hanley listed, a Cyber Panel “could provide an urgent avenue of appeal to endorse (or otherwise) whether the minister could step in where an entity is ‘unwilling or unable’ to comply with a direction or authorisation in relation to a cyber incident affecting critical infrastructure assets”.

Legislative updates

Further to the above suggestions, Mr Macpherson noted that the recent amendments to the Security of Critical Infrastructure Act 2018 are demonstrative of the evolving regulatory approach to protecting our critical assets and the pivotal role the private sector must now play in relation to our national security.

“Cyber incidents pose one of the most significant threats to Australian organisations, and the act recognises this shared responsibility between government and private sector entities,” he said.

“Implementing the act, however, will be a significant challenge for companies that have limited experience complying with a national security agenda.

“Supporting this implementation with practical steps is why setting up a Cyber Panel is so important.”