Drawing upon sources across 10 jurisdictions – Australia, Brazil, Denmark, Germany, India, Israel, Singapore, Uganda, the United Kingdom, and the United States – the report provides an insight into existing cyber security threats and outlines actionable steps that companies can take to strengthen their cyber risk governance.

Sternford Moyo, immediate past president of the IBA and chairman of Scanlen and Holderness, Zimbabwe, appointed the task force during his 2021–22 presidency and assigned the project as a presidential priority.

“There is a real need for leadership and development of international cyber best practices in the intersection of law, public policy and technology,” he said.

“This IBA report sets a global benchmark on best governance practices for corporations in effectively safeguarding their organisations against cyber risks.”

The release of the report expands upon the IBA’s cyber security guidelines, originally released in October 2018.

These guidelines emphasise that law firms hold “large volumes of valuable personal and commercially sensitive information about their firms, employees, case information and clients”, making them a highly attractive target for cyber criminals.

In May this year, HWL Ebsworth – which has nine offices across the country and the biggest partnership of any law firm in Australia – confirmed that a Russian-backed ALPHV ransomware group, also known as BlackCat, hacked into an employee’s personal computer and allegedly stole more than four terabytes of data from the firm’s Melbourne server, including client and staff documents.

VIEW ALL

HWL Ebsworth partner Andrew Miers later confirmed in an affidavit submitted to the Supreme Court of NSW that HWLE has, so far, incurred over $250,000 in costs to conduct a comprehensive review into the leaked data – and that that cost is only expected to grow.

This came after IP services group IPH Limited (ASX: IPH) detected unauthorised access to a portion of its IT environment in mid-March. It subsequently halted trading and launched an investigation into the breach.

According to the IBA report, regulatory bodies have begun developing legal guidelines and standards in response to the increase in cyber attacks. However, abiding by such regulations no longer secures companies – and the IBA urges company leaders to proactively establish security frameworks and strategies.

Luke Dembosky, co-chair of the Presidential Task Force on Cybersecurity and a partner at Debevoise & Plimpton in the US, said that “it is more important than ever that senior executives and boards of directors engage directly in ensuring their organisations are managing cyber risks effectively”.

“The days of leaving that enormous responsibility to the IT team or to privacy compliance to handle are long over, as these are clearly whole-company risks to operations, data, and brands,” he said.

“We hope that this report is a useful guide to the range of issues involved and practical steps corporate leaders can take to carry out effective cyber oversight.”

This follows Medibank being hit with a $250 million penalty from the Australian Prudential Regulation Authority (APRA), and the insurer is currently facing at least five consumer and shareholder class actions, including two run by Baker McKenzie and Slater & Gordon, following its data breach in October 2022.

This came after Optus suffered a similar data breach, which was then met with a number of class actions from Maurice Blackburn in September of last year, a class action from Slater & Gordon filed in April this year and an investigation by the Office of the Australian Information Commissioner, announced in October.

Through its country-level case studies, the IBA report also highlights the widely varying cyber security practices across regions due to differences in regulatory capabilities.

Further, it acknowledges the shared accountability between senior management and boards of directors to tackle cyber security risks and provides 17 recommendations to both parties, including understanding the cyber risk profile of the organisation; ensuring the board and management have sufficient cyber security expertise; ensuring appropriate reporting lines so that cyber risks are raised to leadership; investing sufficient funds to meet cyber security goals; and being able to review, understand, and test the organisation’s cyber incident response plans.

Senior management also plays a crucial role in day-to-day operations, according to the report, positioning them well to map cyber security risks and identify high-priority concerns. Senior leaders are also responsible for ensuring internal compliance, and as the primary reporters to the board, they can also suggest timely analysis/assessments and updates, added Søren Skibsted, co-chair of the Presidential Task Force on Cybersecurity and a partner at Kromann Reumert in Denmark.

“The number, magnitude, sophistication, frequency and impact of cyber incidents are increasing. Today they represent one of the biggest challenges to the proper functioning of organisations and the successful embracement of digital transformation,” he said.

“Now more than ever, senior executives and boards of directors need to better understand the strategic essence of cyber resilience, and it is our hope that this guide will serve as a catalyst for senior executives and boards of directors to accept accountability for – and enable impactful actions with respect to – advancing their organisations’ overall cyber capabilities and resilience.”