The report, Cyber Ready? Australian Businesses Rise to the Challenge, explored the impact of cyber incidents and the changing role of lawyers and revealed a gap in preparedness. It analysed a landmark survey of over 120 legal leaders from Australian businesses, including more than 80 general counsel.

HSF partner Cameron Whittfield, APAC head of cyber security, said that as businesses build their cyber resilience, “Australia’s relative wealth and commitment to digitisation makes it a target for the next wave of cyber threat actors”.

“Although the views of boards and CIOs have been shared widely, our survey results reflect the views of legal leaders who have a clear line of sight across the organisation, including the board. In-house legal leaders are attuned to managing risk and are often front and centre in any cyber crisis. They are a sound bellwether for risk,” he said.

“Australian businesses and their boards have never been under more scrutiny about their cyber resilience, as they respond to cyber security threats, compounded when many are responding to a dynamic and shifting business and regulatory environment.”

According to the report, for lawyers to effectively respond to cyber attacks, they need to be empowered and activated to manage digital risks – they need to be part of the preparatory work and be prepared for the myriad of legal issues that will unfold at pace.

“Many companies are preparing for attacks in ways that do not actually reflect the way the attack plays out,” Mr Whittfield said.

“The legal and regulatory risks are significant and acute. In our experience, the lawyers are front and centre when a cyber crisis unfolds. In fact, they often play a breach coach role, coordinating the response.

VIEW ALL

“In the first 24 hours, you don’t want to be educating key internal stakeholders or building the plan as you execute it. Significant benefits come from clearly defined roles. Increasingly, as lawyers take up the role of ‘breach coach’, they are coordinating the response. Positively, 58 per cent of respondents have someone in their legal team specifically tasked with cyber and data issues. I am sure this is a material change from how legal teams used to be made up.”

Pressure on boards

The report also reflected on the role of regulators, who have sent directors a clear message on cyber resilience as threats increase. Survey respondents noted that their boards are bolstering cyber defences with three-quarters of respondents saying their boards have been educated about cyber risks in the last 12 months and one-third with cyber expertise on the board.

“Expertise for the board is less about who sits on the board, than the information they are getting and the processes they are following. Boards need to understand the risk and the company’s security posture, and based on this they can set the company’s risk appetite. Understanding the answer to a question is as important as the question itself,” Mr Whittfield said.

“Boards have the most impact in the preparation phases. Effective preparation enables an organisation to fulfil its legal obligations, limit regulatory and litigation risks, as well as to protect individuals and shield a company from reputational damage. We were somewhat surprised that many boards were still to run a cyber crisis simulation. Respondents confirmed that almost one-third had not held one, and a further 25 per cent of respondents were unable to confirm one way or the other.

“This shows two things, the first being that boards have some work to do here. But we also appear to have a disconnect between actual cyber-attacks where the lawyers are often front and centre, and the preparation for these where the simulations are not being done or the lawyers are not involved.”

While many boards were yet to have formed a view as to whether they would be open to paying an extortion demand, two-thirds of the respondents were unaware of their board’s position on extortion payment – something the report emphasised is highly likely should an organisation suffer a breach.

Furthermore, the report emphasised that one of the best ways to manage the risk of a data breach is to limit the attack surface.

“We must ask ourselves what data are we collecting, why are we collecting it, and when we are finished with it, why are we still holding it,” Mr Whittfield added.

“Forty-two per cent of respondents remain concerned about their company’s data retention practices, indicating that we still have work to do in this regard. It’s a very challenging area, with companies looking to revisit and address legacy data collection practices.

“This is a matter for legislators too. Many companies are constrained by outdated data retention obligations which do not reflect practices of the modern digital economy.”