What GCs, disclosure rules and cyber attacks have in common
In the past, failure to report a cyber breach prior to telling the media might have been treated as more of an “oops” moment and a slap on the wrist from the regulators, but not anymore, writes Annie Haggar.
In the past, failure to report a cyber breach prior to telling the media might have been treated as more of an “oops” moment and a slap on the wrist from the regulators, but not anymore, writes Annie Haggar.
To continue reading the rest of this article, please log in.
Create a free account to get unlimited news articles and more!
It’s hard to believe that there have only been 36 cyber security attacks against ASX-listed companies in the last decade, but many in the cyber security industry have long suspected that many breaches go unreported.
But what’s harder to believe is that, of these 36 reported, only 11 properly reported the breach to the regulators before the media reported it. For the other 25, their sharemarket investors heard of the breach over their morning coffee and not directly from the company in which they had invested. For these 25 companies, they were likely in breach — and not just cyber breach.
Research by Professor Alex Frino has shown that, in the wake of a successful cyber attack, a company’s market value drops by 5 per cent — working out to be an average loss of half a billion dollars. This would appear to be a material, and therefore disclosable, event.
In the past, failure to report a cyber breach prior to telling the media might have been treated as more of an “oops” moment and a slap on the wrist from the regulators, but not anymore.
On Friday, 17 February, the Federal Court handed down its largest-ever penalty for breaching continuous disclosure rules — fines of over $15 million for the company and fines of up to $2 million and up to 15-year bans on managing companies for former directors of GetSwift.
These recommended fines from the Australian Securities and Investments Commission (ASIC) were doubled by the Federal Court — signalling the seriousness of the repeated failures to disclose. Now, while the case of GetSwift involved 22 failures to disclose, with the increasing frequency and severity of cyber attacks, ASIC has made it clear that cyber will be an increasing area of focus. Disclosure is not their only point of focus either in the wake of ASIC v RI Advice Group Pty Ltd [2002].
It’s easy to understand in the chaotic hours following the discovery of a cyber security attack on your business, that the minutiae of who needs to be told, and when, might slip the attention of the general counsel, in-house legal team, executive, board and comms team.
But, like preparations for a fire or other possible disaster, coming out of a cyber attack while minimising damage is not a matter of luck. It is a matter of planning, preparation, and practice. What’s more, in the case of a cyber attack — it isn’t a possibility — it’s a guarantee that it will happen to you.
When. Not if.
So, what can corporate counsel teams be doing in response? These are just a few of the key questions you should be asking yourselves and your business teams:
Do you have an incident response plan?
If your answer to that question isn’t a confident “Yes and I’ve reviewed it, and legal is a key part of it”, then the answer should be “No”.
For each of the 25 companies that were likely in breach of their obligations by reporting a cyber security breach to the media before their shareholders, they could have avoided this with a good incident response plan with legal as the first people to call.
A good incident response plan isn’t a technical document, written and held by the IT and security teams. It should also be an executive-level, risk management control that outlines the roles and responsibilities of all the key players — who must include the general counsel, the board and the rest of the C-suite.
A good incident response plan must have legal at the top of the phone tree when a cyber breach is discovered. Legal must be involved with the investigation, commission any reports, and be at the table when the executive is making decisions. Legal will be responsible for helping to protect legal privilege, ensuring regulatory reporting obligations are met, the legal “recovery” and potentially defending future claims. This job will become impossible if legal is excluded from (or only partially consulted on) the response. If you think you will need expert legal and technical help (and unless you’re a cyber security expert, you will) then get it on retainer before you need it.
Do you know what data your business collects, holds — and where its kept (e.g., which system)?
When the chief information security officer says, “we’ve been hacked”, in-house legal needs to understand what that means in terms of regulatory reporting. This will depend on what data your business holds, which systems it’s in, and how they have been compromised (e.g., the type of the attack — encrypted systems or stolen data).
With only 30 days under the Privacy Act to assess and notify whether a breach is likely to cause serious harm, you won’t have time to do a data finding and classification exercise as well. You should know already what type of data is held where, and as a legal risk management responsibility, you should ask how it’s secured.
How secure is your supply chain?
Do you know how secure your suppliers are? Sure, they are required to meet certain security standards — but have you ever checked if they actually meet them? What will you do if they don’t? Can you take any action under their contracts?
In ASIC v RI Advice, Her Honour Justice Helen Rofe stated: “It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”
In the past, “adequate” and “acceptable levels” were a much lower threshold as attacks were less guaranteed, less sophisticated, and could be less impactful. Today, in the wake of Optus and Medibank, what will be considered an “acceptable level”, especially for regulated companies, is much, much higher.
Corporate counsel should be getting advice if they don’t have cyber skills themselves, raising the legal cyber security risks to the executive, reviewing their supply chain terms, customer terms, policies etc., getting their team trained up, and making sure they and their business are prepared for what is to come.
Annie Haggar is the principal of Cyber GC.