This paper was written by Executive Director Brett Cowell for attendees at the Lifting Equipment Engineers Association “LiftEx Regional” conference in Sydney, May 2023. Brett also presented on this topic at the conference.
Cyber security and cyber resilience
Every day we hear stories of cyber attacks on organisations and the financial and reputational damage that follows. The number of cyber attacks on organisations across the spectrum, in both the public and private sectors, is increasing. In FY19/20, the Australian Cyber Security Centre responded to almost 6 cyber security reports per day. That number does not account for incidents that were reported to police or other organisations or that were not reported at all.[1] Check Point Research reported a 38% increase (2022 over 2021) in cyberattacks. The Australian Cyber Security Centre report for 21/22 stated the level of 76k attack reports in Australia – 1 every 7 minutes. For our organisations, it’s useful to think that its a case of not “if” but “when”.
Our companies can’t give up on prevention. That is as important as ever. But the threat landscape is becoming so broad and pervasive that experts are starting to say we need to emphasize resilience and recovery.
The direct financial impact on organisations resulting from cyber attacks is enormous. There is flow-on damage to customers, shareholders and to other stakeholders, particularly where personal information is hacked and misused. Think Medicare and Optus. Customers who entrust their often sensitive personal information to our companies have a legitimate expectation that we will do our best to protect that information from unauthorised disclosure or use.
In addition to direct financial damage resulting from lost and interrupted business, hacked organisations may also suffer enormous reputational damage.
Ransom attacks get most publicity and can be most damaging to the organisation and its customers but they are a small percentage of total cyber events. Denial of service attacks, website hacks, theft of information and “espionage” attacks are much more common.
With all our organisations being substantially and increasingly reliant upon cyber systems and having increasing volumes of stored data, the consequences of attacks are growing in severity and in damage caused. For the digital economy to grow in functionality and dependability, both our cyber security – prevention, protection, defence – and our cyber resilience – ability to defend against, mitigate the effects of and recover from cyber attacks - must also grow.
My comments will take into account the roles and responsibilities of directors and of senior managers but there is a degree of cross-over. The size of our companies for example may impact the division of roles as between directors and senior management.
For directors
Knowledge about cyber risks our companies face and measures for cyber security and resilience must form an important part of a board’s skills matrix. While particular skills may reside in one or more directors, all directors must have a level of knowledge. A parallel may be that while some directors may have particular, more advanced financial skills, all directors must have an adequate level of financial competency. So important to our organisations are our digital systems that being aware of these cyber matters is assuming a level of importance not much different in scale from our financial affairs.
Consumer and shareholder class actions have been filed against Medicare and Optus. Where companies are hacked, we expect that we will commence to see actions against their directors, based on allegations of breaches of directors’ duties.[2]
Directors have duties under the Corporations Act to:
exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person in that position would exercise (s 180); and
act in good faith, in the best interest of their corporation (s 181).
To make out the “business judgment rule” defence to a claim of a breach of s 180, directors will have to show that they properly informed themselves about the subject matter of the judgment and that they rationally believed the judgment was in the best interests of the corporation. We expect it will be hard for directors to make out that defence where a company has suffered damage as a result of inadequate cyber security and they have not properly informed themselves about and monitored their company’s cyber security and resilience posture.
It used to be that many directors, not being familiar or comfortable with IT matters, including cyber security requirements, thought that they could delegate responsibility for cyber security to their IT management staff. In our experience, that is still the case in many companies. As was found by Justice Middleton in the Centro case, “directors cannot substitute reliance upon the advice of management for their own attention and examination of an important matter that falls specifically within the board’s responsibilities.”
The Centro case related to the company’s financial accounts. But the criticality of IT systems and data to companies, the prevalence of cyber attacks and the predictability of the damage likely to flow from attacks are at such a level that directors cannot responsibility say that cyber security is not a board responsibility. Directors have to understand and take responsibility for cyber security. They must understand cyber resilience and how their organisations build and maintain it. We can expect to see an increase in legislated duties imposed on directors for the cyber security of their companies and the data they collect and the imposition of liability for breaches of those duties.
While it is generally accepted, particularly in larger companies, that directors acting in that capacity (as distinct from directors carrying out executive roles) should not get involved in day-to-day management of the company, it will not be sufficient for directors to say that cyber security and cyber resilience considerations are all operational matters and do not fall within their area of responsibility. Amongst other things, in making decisions about a company’s risk appetite (see below), directors will have to have a sufficient understanding of cyber resilience issues in order to make informed decisions about the level of risk their company faces, the strategies and actions (at least in overview) that the company should take to build cyber resilience and the impact that various levels of cyber intrusion are likely to have on the company. As directors, we have to understand the key issues that will or may impact our business. We have to be and continue to be informed about matters that have the potential to negatively impact the ability of our company to achieve its strategic aims and business objectives. A serious cyber intrusion has that serious negative potential. We expect that to make out the business judgment rule defence, directors will need to be able to show at a minimum, they have taken steps to build a reasonable level of awareness of risks and prevention and mitigation measures that the company should be and is taking so as to make objectively reasonable business judgments.[1]
Particularly in larger companies where there is differentiation between the roles of directors and senior management, companies should clearly document who has what responsibilities for the range of aspects that will make up their company’s cyber measures and programs. Where responsibilities sit with management, there must be regular, structured reporting to the board in terminology that is intelligible to directors. Directors must ensure that this reporting occurs so that they can fulfill their governance oversight obligations. Directors don’t have to understand measures in technical detail (though some director(s) should) but we need to have a good understanding of those measures and to understand the likely impact on our business if they don’t operate to exclude an attack. On the directors’ agenda should be regular updates on the threat landscape, developments in the measures our company is implementing, team awareness and training protocols, reports on system tests and incidents that may have occurred.
Amongst other things, directors should know:
what systems the company is operating, including any legacy systems still connected but maybe not being maintained;
what data the company is collecting, maintaining and using and how and where data is stored and dealt with in transit and what is the company’s deletion policy;
who has supervisor and other access rights to the company’s systems and what access and authentication terms and protocols are in place and how are they enforced, reviewed and managed.
what policies and procedures do we have in place to address cyber risks posed by our remote workers and third party suppliers having access to our systems.
who within the organisation is responsible in an operational sense for the digital systems, data and cyber security and whether those responsible are performing the operations and steps that need to be taken to ensure (as much as reasonably possible) or promote cyber security;
the type of cyber risks relevant to the company both generally and specifically and the company’s vulnerabilities. How would different types of cyber attack be likely to affect the company, its shareholders, customers and other stakeholders;
what measures we have in place to protect our system including to detect in real time any unusual or anomalous activity in our system. What mitigation and risk management strategies does the company have and are they adequate in the circumstances. Who is monitoring these measures[2];
the process for rigorous reporting to the board – the frequency, content and adequacy of reports and what threats are faced by the company and whether there have been penetration attempts or successful penetrations and what were the responses and consequences. This reporting strategy may well involve input from external experts;
in the event that the company must respond to an incident, that will require (potentially a lot of) time. Will directors and other personnel be available?
what public relations and shareholder and stakeholder communications processes are in place, who is responsible for implementing and reviewing those processes and with what frequency and how are the processes communicated to company personnel.
As directors, we have to be concerned with the cyber security and resilience of our own company. But we also have to be very conscious that by reason of our own flaws, we don’t become the vendor or supplier that let the hackers into our (big) customer (Latitude, Target US).
Increasingly, we are seeing in tender documents and requests for proposals, questions directly requiring information from tenderers about their cyber security and resilience measures, including data collection, storage and protection. It is not surprising that companies are asking these questions of their suppliers and potential suppliers. A significant number of system penetrations come via third party suppliers, including software-as-a-service providers and data storage or hosting organisations that have online access to a company’s systems where the third parties do not themselves have adequate security. In the US, Target Corporation lost 110m customer credit card and personal data records after hackers gained access via Target’s HVAC vendor. The identity of the HVAC supplier was apparently located via a Google search. Hackers sent that supplier’s personnel a phishing email that contained the Citadel password stealing malware. Someone clicked on a link and that gave the hackers the ability to access Target’s system. Breaches may also come via exploiting vulnerabilities in third party apps running on the target’s system.
The move to working from home during the Covid pandemic led to a major increase in personnel accessing our corporate IT systems via their personal computers or other devices. The level of control companies had over remote worker system safety and good user practices was dramatically attenuated. Our companies have to implement policies and procedures to establish, manage and monitor as strong as possible cyber security measures implemented by and for our remote workers.
We recommend that directors seek advice from experienced insurance brokers about the types of insurance cover available to address ransom attacks, business interruption and recovery, third party claims and class actions and the terms of policies. I am not sure that there are yet “standard terms” in our insurance market. Directors should anticipate that an underwriter will ask a lot of questions about the company’s cyber security and resilience posture and may well require an external expert test and report on the company’s systems and measures. We also need to very carefully read the “fine print” in policy documents. Failure to strictly comply with the many security procedure requirements often written into policies may have the effect of voiding cover.
For senior management
Particularly in companies where there is a distinction between the roles of directors, especially non-executive directors and senior managers, the following are some of the responsibilities that management should have.
Responsibility for implementation of cyber security measures and response and recovery plans, potentially working with external experts.
Put in place, regularly review/update and practice cyber breach response plans and data/disaster recovery plans.
Undertake regular audit and test processes to assess the organisation’s security status and measures. Independent expert assistance is likely to be valuable. The audit process should involve “white hat” penetration testing of system cyber security.
Put in place a notifiable data breach policy and communications flow plan.
Conduct awareness and compliance (dummy) tests with staff.
Keep boards fully informed. Know what they need, anticipate.
Work up a risk matrix and share it with the board. We expect that in many cases, the likelihood of a cyber attack should be shown as medium or high, with the impact of a successful attack shown as high to extreme.[5]
Understand and ensure compliance with privacy regimes, including data collection consents and know what data is collected, where it is held or transitioned and what it is used for.
If there is an incident, can you or your advisors quickly identify the incident is occurring/has occurred, how the intruder gained access, what information the intruder got and what the impact on the business, customers or others is likely to be?
Recovery is likely to be slow, stressful and expensive (money, reputation, damage caused to customers etc). Have you undertaken scenario planning?
If/after you have an incident, analyze cybersecurity measures and how the response plan held up and can be improved.
APPENDIX
Comments on directors duties
Despite all reasonable preventative and responsive efforts, regrettably, organisations will continue to suffer cyber attacks. If a company suffers an attack that results in loss or damage to the company, shareholders and/or third parties (eg third parties whose personal information the company held has been hacked), directors will want to be able to demonstrate that they had taken all reasonable steps to address the cyber security measures mentioned above and generally have discharged their duty of care and diligence in relation to the company’s cyber security.
Directors will be taken to have satisfied their care and diligence obligations under section 180(1) of the Corporations Act if in accordance with section 180(2), they made a business judgement:
that was made in good faith for a proper purpose;
in which they did not have a material personal interest;
having informed themselves about the matter to the extent they reasonably believed (viewed objectively) was appropriate; and
they rationally believed was in the best interests of the corporation.
The terms of the judgment of Austin J in ASIC v Rich[6] indicate that a board not taking action with respect to a corporation’s cyber security posture may not be excused under the business judgement rule. Austin J’s judgment suggests that section 180(2) cannot be used to exclude
directors failing to carry out their statutory duties. Rather, the rule can be applied in respect of “any decision to take or not take action in respect of a matter relevant to the business of the corporation.”[7].
In the well known 2014 US case of Palkon v Holmes, a shareholder, Palkon, brought a third party derivative action against Wyndham Worldwide Corporation as a result of hackers accessing the personal and financial information of over 600,000 customers of the WWC Hotel and Resort chain. The WWC directors had declined to bring proceedings on behalf of the company against staff and directors following 3 breaches of WWC’s online networks between April 2008 and January 2010. The derivative action application failed, in part because of Delaware law, where the company was incorporated. WWC was also prosecuted by the Federal Trade Commission. Relevantly, it was found that the board’s refusal to bring an action was justified on the basis of a good faith exercise of business judgement by the board after it had properly investigated and considered the matter. In considering the appropriate business judgement test, the court had regard to the fact that the board had applied itself to the data breaches and had met their duty of care and diligence. The board’s audit committee had considered the attacks 16 times and the board had considered the attacks at 14 meetings. The board had reviewed WWC’s security policies and proposed enhancements to data security with the assistance of a technology firm appointed to investigate the breaches. WWC’s legal counsel made quarterly presentations to the board after the breaches had occurred and in relation to the Federal Trade Commission’s investigation about whether WWC had misled investors in the market. The board had thorough minutes of its deliberations and decisions. While the US statement of the business judgement rule is somewhat different from the Australian statement of the rule, these matters were relevant and instructive as to whether the board had exercised its business judgement properly in deciding not to take action against certain of its directors and personnel.
Data protection and the Privacy Act
Organisations that have annual turnover of more than $3 million and some small businesses with annual turnover of $3 million or less, have responsibilities under the Privacy Act 1988 (Cth), including responsibilities under the Notifiable Data Breaches scheme.[8] An organisation subject to the Privacy Act that has a data breach likely to result in serious harm to individuals whose personal information is involved, must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC). If the organisation suspects an eligible data breach may have occurred, it cannot ignore that breach. It must undertake a fast, reasonable assessment to assess whether there has been a notifiable breach. The Commissioner has a range of enforcement powers against an organisation that does not comply with the Notifiable Data Breaches scheme.
OAIC has published The Data Breach Notification Guide: A Guide to Handling Personal Information Security Breaches.
Businesses subject to the Privacy Act must ensure that they are protecting the personal information they hold. The protection standard set by the Australian Privacy Principles is that businesses must ‘take such steps as are reasonable in the circumstances’ to protect personal information. This is not a prescriptive standard, but one that changes character depending on the information held, the resources of the business holding it and standard industry practices. When engaging third parties to store or process personal information, this obligation is frequently satisfied through contracts or data protection agreements. When sending personal information overseas (which includes data stored on a server located overseas) or to a third party, consent from the personal information owner may be required and businesses should ensure they have mechanisms in place that:
requires the third party to use a mix of organisational, technical and physical data protection measures;
impose strict restrictions on what the third party can do with the personal information or how it should be handled;
require the third party to report any unauthorised access or use of personal information; and
allow the business to audit the practices of the third party and (if required) issue directions on data practices.
Failure to ensure data is protected once being passed to third parties can see businesses held liable for the actions of those third parties. If the personal information is also being provided to international third parties, businesses must ensure that their privacy policies reflect such practices.
[1] Australia’s Cyber Security Strategy 2020 p10.
[2] There is also a proposal that the Australian Privacy Act 1988 be amended to give to individuals a direct right of action for breaches of the Australian Privacy Principles.
[3] See the appendix for further comments about directors duties and about data protection.
[4] A high percentage of system penetrations come through lack of cyber awareness or poor practices on the part of employees – not applying supplier patches; clicking on bad attachments or bad links in emails; visiting websites that download malware etc; systems that have inadequate or out of date security settings or vulnerabilities; a lack of password hygiene (poor security, easy-to-hack or irregularly changed passwords).
The following measures are key general steps in prevention: maintaining up-to-date anti-virus, anti-malware and anti-spyware software; installing and maintaining real-time “anomalous behaviour” monitoring software; promptly installing supplier patches and keeping operating systems, apps and browsers up to date; ensuring latent (no longer used/out of date) systems are properly and fully decommissioned; ensuring that strong password protocols are adopted; having controlled and limited access rights and particularly administrators’ rights; having regular, thorough back-ups as part of a strong disaster recovery plan; training personnel in cyber security awareness and avoidance measures. See also the 2020 ACSC Strategies to Mitigate Cyber Security Incidents – Essential Eight Explained.
[5] For listed entities, the ASX Corporate Governance Principles and Recommendations (4th Edition) provides at recommendation 7.2 that a board or board committee should monitor the adequacy of the company’s risk management framework and ensure that the company is operating with due regard to the risk appetite set by the board. The recommendation expressly mentions digital disruption and cyber risks. The recommendation begs the question of what is the board’s risk appetite? Most companies won’t be able to invest millions of dollars in cyber resilience steps but having regard to the damage flowing from a significant attack, most boards will set risk appetite at “very low”.
[6] [2009] NSWSC 1229
[7] Refer to Ford, Austin and Ramsay’s Principles of Corporation Law 16th Edn 2015 pp 506-507
[8] As at the date of this paper, substantial amendments to the Privacy Act are under consideration by the Federal Government. If enacted, these will include an expanded definition of “personal information”, the phasing out of the small business exemption, stricter consent and collection requirements, increased privacy rights and enforcement powers and the introduction of a statutory tort for privacy and a right of direct action by affected parties.