Lawyers are there to help assess risk and protect their clients. In unfamiliar situations where decisions have to be made, they try to shield their client from making decisions that might create future harm. This is their job.

Cyber attacks are not normal for most people, lawyers included. The unprecedented level of cyber attacks on Australian organisations means there are a lot of people in unfamiliar waters, exposed to unfamiliar risks.

A live cyber attack on a business is chaotic. There are a lot of unknowns. You don’t know who is attacking you, where they are in your system, what they have access to. You don’t know what the consequences are going to be. In the heat of the moment, it’s easy to make decisions that make sense in the situation but have damaging consequences later. Having legal advice on those consequences can often avoid that damage.

Not every lawyer is the right one, though. Australia has only a handful of truly expert cyber security lawyers.

A lawyer unfamiliar with a cyber attack might be reluctant to let any other third party “in the room”, especially a government agency, given the regulatory consequences at play. It’s easy to see why regulators wouldn’t like that advice. But seeing all lawyers as a problem who should be kept “out of the room” will leave everyone worse off in the long run.

First, a chief information security officer (a CISO) is responsible for protecting the organisation from cyber risk. A lawyer’s job is to protect the organisation from legal risk. Their roles overlap. Together, they can persuade leadership that cyber needs to be given the attention and funding it needs. This is something the Australian Cyber Security Centre (ACSC) and the federal government are very keen for businesses to do.

Second, while the Commonwealth’s “single reporting portal”, announced in the Cyber Security Strategy 2023–2030, will really help simplify regulatory reporting, it doesn’t cover multinational or other non-regulatory disclosure. The Australian Securities and Investments Commission (ASIC) has flagged that organisations that mess up reporting cyber breaches may face significant consequences. If your lawyer is excluded, they cannot help you meet these complex requirements. The Cyber Security Strategy is considering safe-harbour regulations when engaging with the government, but it won’t be a shield against all liability, just government fines.

VIEW ALL

Lawyers also help the crisis communications team clear public statements and reports so they are accurate and don’t expose the organisation to additional risk. They can’t do that if they only have second-hand information.

Third, depending on the type of attack, there are multiple, critical decisions to be made. Do we pay the ransom? Does paying that ransom put us at risk of breaching other laws, like anti-money laundering or material support for terrorism legislation? What are the implications for the data that was accessed or stolen? These decisions must be made by the executive or the board. For that, they need informed legal advice.

Finally, even the best-handled cyber attack has a long tail of legal consequences, reaching far beyond the initial cyber response. Optus and Medibank both face multiple class actions. The Australian Prudential Regulation Authority (APRA) required Medibank to hold additional funds in reserve. The Office of the Australian Information Commissioner (OAIC) can impose fines and enforceable undertakings.

The board and executive have a legal obligation to protect the organisation. Protecting an organisation starts the moment a cyber incident is detected with protecting legal professional privilege. The lawsuits following a breach can cripple an organisation more than the cyber attack.

The Federal Court denied Optus’ application for legal professional privilege over Deloitte’s investigation report. You can bet Optus wishes they spent more time in the heat of the moment listening to their lawyer’s advice about privilege.

Incident response investigations are important. They need to allow cyber defenders to do what they do best. But the last thing you want in an incident is to be worrying that every text you write is going to be used against you in court. That is in no one’s best interest.

So, instead of kicking the lawyers “out of the room”:

1. Involve your lawyers in incident response planning. Don’t make the first time they see the plan be when it is put into action.
2. Include lawyers in the tabletop exercises and scenario training. Like everyone, they need to practice their roles.
3. Support your legal teams with expert cyber legal advice.

Annie Haggar is the founder and principal of CyberGC.