Introduction: Australia’s current technological landscape.
Australia’s technological landscape is ever evolving. Across sectors, digital technologies are constantly shifting business rules by facilitating new business models. Technology has not only been fundamental in assisting corporations in reducing cost and increasing productivity, digitalisation has substantially changed the business landscape promising increased opportunity and innovation. However, with this new opportunity comes new risks, particularly cyber risk and the risk of breach of privacy.
What is Cyber Risk?
Cyber risk is any risk relating to financial loss, disruption or damage to an organisation’s reputation due to some type of failure of its information technology systems either in the form of technical infrastructure networks or the use of technology inside an organisation.1 This also encompasses risks connected to personal data storage. On conservative estimates, cybercrime currently costs Australians upwards of $1 billion per year.2 The instruments of cybercrime are many and varied and include:
- credential-harvesting malware;
- social engineering; and
- spear phishing
Ransomware persists to be a threat to both Australia’s and the world’s current technological landscape. Ransomware is a program that is implanted in an organisation’s computer system and effectively encrypts or blocks access to a corporation’s data.3 Cybercriminals then typically demand a ransom payment via cryptocurrency (a digital currency where encryption techniques are utilised to regulate the generation of currency units) or bitcoin to restore data access.4 Moreover, even if an organisation pays the ransom, there is no assurance that their data will be unlocked.5 Ransomware is a growing threat to both individuals and corporations in Australia and globally, particularly when ransomware kits are becoming increasingly obtainable on the darknet.6 Supporting this, Dimension Data has found that ransomware attacks globally increased by 350% in 2017 over the previous year.7
Credential harvesting malware refers to the stealing of legitimate credentials such as login details and passwords to gain access to target an organisation’s systems for unlawful or malevolent objectives.8 This form of malware poses a growing risk to Australian network systems, particularly the financial sector. 9 The Australian Cyber Security Centre (ACSC) has observed a recent change in cybercriminals targeting activities, particularly the development of expertise and malware to target Australia.10
Social engineering occurs when cybercriminals seize private and confidential information from companies by impersonating representatives of legitimate organisations, for example, the company’s bank.11 Cybercriminals will characteristically make these information requests using an email that contains official letterhead to give a sense of legitimacy or by bogus phone calls.12 Social media has developed an ideal platform for cybercriminals to acquire personal information to target victims.13 Cybercriminals are able to research businesses, use fake social media accounts, and compromise legitimate accounts, allowing them to impersonate business and government officials.14 The use of social engineering is particularly prominent in business email compromise that targets businesses for financial gain. 15
Spear phishing is a form of phishing where fraudulent emails target particular organisations to obtain access to confidential information.16 Cyber criminals typically utilise techniques like email filters and antivirus, with the objective of tricking a targeted victim into opening an email containing a malicious link, file attachment or clicking on a malicious embedded link.17 Spear phishing emails continue to be a regular exploitation technique utilised to compromise Australian industry networks.18 Cybercriminals are targeting industry employees to obtain access to corporate networks and individuals with a great amount of personal or corporate information that is available online.19
An important question for directors: How cyber resilient is your organisation?20
Cyber resilience is an organisation’s ability to resist or swiftly recover from cyber events that interrupt usual business operations.21 The ability to recognise and manage risk, and in this context cyber risk and risk of privacy breach, is embedded within the role of an organisation’s board of directors and senior management.22 To empower boards to do this, organisations must have an appropriate framework to identify and manage risk on a continuing basis.23 Organisations must ensure they have implemented suitable safeguards against malicious cyber activities and that recovery capabilities in response to cybercrime and breach of privacy are adequate.24
Consequences of cyber attacks
If organisations and their directors fail to implement appropriate safeguards so that their organisation can swiftly recover from cyber-attacks, the consequences of cyber-attacks include but are not limited to:
- Loss of important or confidential data;
- Loss of customers due to data breach;
- Loss of an organisation’s reputation due to negative media attention;
- Loss of share value;
- Business interruption; and
- Possibly, regulatory fines
When can a director be liable?
Generally, directors have a fiduciary duty and a civil obligation to exercise due care and diligence. More specifically, pursuant to s180(1) of the Corporations Act 2001 (Cth), ‘a director or other officer of a corporation must exercise their powers and discharge their duties’ with a degree of care and diligence. The degree of care and diligence is that what ‘a reasonable person would exercise if they were a director or officer of a corporation in the corporation’s circumstances’25. In the event that a director neglects to exercise due care and diligence in recognising and managing cyber risk and risk of breach of privacy, by adopting safeguards to protect an organisation from these risk, they may be liable.
Moreover, a director may be liable for a privacy breach if they aid, abet, counsel or procure, or induce by threats, promises or otherwise, or be in any way, directly or indirectly, knowingly concerned in or are a party to, or conspire with others to occasion serious or recurrent privacy breaches.26 This is pursuant to s 80V of the Privacy Act 1988 (Cth). There are civil penalties associated with a contravention of the Privacy Act 1988 (Cth).
Cyber risk and breach of privacy isn’t novel, but the stakes grow greater every day. An incident is no longer likely to be a single event but can have significant repercussions given the increasing interconnectedness of the digital Century. As an organisation, knowing the risks and how to manage them is more important now than ever, given the current digitalisation of Australia and the world.