Cyber security is becoming part of the national conversation. It is a conversation initiated by a rash of attacks on public and private computing infrastructure, propelled by the Federal Government's cyber security strategy released in early 2016, and amplified by the high profile Census debacle.
But cyber security requires more than talk, it demands action. Organisations that effectively identify and plot their risk profile, take steps to manage, mitigate, and where appropriate, transfer that risk secure their future and are better poised to reap competitive rewards.
Being able to demonstrate a sophisticated and comprehensive approach to cyber security, a company positions itself as a favoured and trusted business partner. But this is not a set and forget strategy; the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach.
The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector. Left unchecked it can bring corporations and countries to their knees.
According to Professor Greg Austin, director of the Australian Centre for Cyber Security, one of the major challenges is that the full dimensions of the problem are still being assessed globally. But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace, which indicates the scale and seriousness of the global problem.
China also has stepped up its efforts in the area according to Prof Austin, under the direct control of the President, and introduced a draft bill on cyber security.
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion. Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem.
Where there is no lack of clarity is in the acknowledgement that there is a problem, and senior managers and boards are increasingly concerned.
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat edging out asset misappropriation for the first time.
Prof Austin says that eight vectors of attack are currently in evidence software, hardware, networks, payload, people, power supply, policy, ecosystem. In addition nine major sources of threats have been identified, and Symantec data suggests there are as many as 30 different threat types.
These variables in combination make it difficult, if not impossible, to prevent any and all attacks. Prof Austin's warnings are stark; "The criminals are always ahead of you or I...the bad news is that governments are well behind criminals and corporates."
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low, the probability of the consequences being high in a handful of cases are extremely high. And that, he says, is what organisations need to prepare for.
Legal influences on the cyber risk landscape
Legislation and regulation often lags technology, and this is particularly evident in the cyber security area where nations continually play catch up.
Enterprises operating internationally must navigate a global legal landscape in constant flux, and establish strategies for managing security and data that comply with regulations locally and regionally.
This is particularly challenging for companies migrating information systems to the cloud. While there may be scale, cost and flexibility benefits associated with cloud computing services, it is essential to review contracts regarding how data will be treated, and identify any potential security gaps.
At DLA Piper we have developed CyberTrak, to track legislative changes regionally. Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy, data and security. Scott Thiel, DLA Piper partner specialising in technology and privacy, says that organisations operating in multiple jurisdictions need to decide whether to take a "high watermark approach" and establish security and privacy settings that meet the most stringent conditions in the countries they operate, or tackle the issue country by country.
Neither is ideal the costs associated with meeting high watermark regulation across the region could be high while a piecemeal approach could be difficult to maintain especially given the rapid pace of change. However failing to address the issue properly is a mistake with potentially serious financial implications; witness the company sued for $HK 1.5 million over a consumer's "hurt feelings" regarding unauthorised exposure of their data.
Cyber rules around the region
Australia: the arrival of a new Privacy Amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer.
China: racing ahead in terms of regulations and has a Security Draft Law which will have significant implications for international companies operating in the PRC.
Hong Kong: specific and stringent security requirements, while there are no data breach notification rules, these are expected in 1218 months. The first person to be jailed for a privacy breach was a Hong Kong based insurance broker.
Singapore: legislation in place for over two years and more meaningful enforcement is anticipated, while regulations are expected to evolve particularly for foreign enterprises.
Japan: a mix of regulations impacting various industries, but strong culture of compliance, meaning level of enforcement is low because of fear of reputational damage.
South Korea: a long tradition of privacy and security law, and robust enforcement with serious enterprise consequence.
Thailand: some constitutional requirements but no breach notification.
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the Panama Papers leak which threw the issue into sharp relief.
Organisations pitching for work, responding to tenders, or planning an IPO may find it an advantage to be able to reference a comprehensive, even audited, data collection, storage and use strategy along with a well-constructed and rehearsed cyber security plan. That plan should leverage technology solutions and services such as encryption, penetration testing, and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach.
In the event of a breach this also streamlines discussions with regulators. An enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies, policies and procedures in place to protect that data, should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue.
Says Thiel; "Institutional awareness of how systems hang together will speed root problem analysis and rectification."
In the event of a breach...
1. Refer to the data breach response plan
2. Call lawyers to preserve privilege
3. Involve communications and PR team
4. Alert insurers to the breach
5. S eek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6. E ngage incident response team to analyse breach and remediate
Access DLA Piper's cyber incident/data breach response: Your emergency checklist here: https://www.dlapiper.com/en/australia/insights/ publications/2015/04/cyber-data-breach-checklist/
Assessing the technology/insurance inflexion point
Technology and education are the first frontier of data protection and cyber security. Investing in a spread of security technologies such as firewalls, encryption, system monitoring, vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation.
There is however a point at which additional investment in security offers diminishing value. At this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance.
Tim Fitzgerald chief security officer and VP at Symantec, explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisation's data collection, its reliance on cloud computing services, deployment of Internet of Things devices, and also the mobility of its workforce and user base.
He recommends that organisations conduct a cyber risk assessment, analyse the data stores held, and assess by who, and why, they may be targeted, and then develop a security strategy based on that insight. The board and senior managers need to be appraised of the security risk and strategy, and through gap analysis, determine the need for cyber insurance, understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack.
A data breach response plan which can be informed by the Office of the Australian Information Commissioner's guidelines https://www.oaic.gov.au/resources/ agencies-and-organisations/guides/data-breach-notification-guide-august-2014.pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities. A comprehensive response plan also demonstrates good governance to business partners, investors and regulators.
However any cyber response plan must remain a living document and needs regular review, ensuring that current regulatory requirements are acknowledged.
In addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach, the plan should also identify any third party support services required should an attack occur, allowing engagement contracts to be negotiated well in advance.
Organisations attacked once are three times more likely to be attacked again- Symantec
45x more cyber ransom events year on year- Symantec
Digital transformation and the impact of insurance
Once an organisation has deployed robust technology defences, educated staff about the risks of cyber-attack, and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection.
Those people, process, technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance.
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires.
Kevin Kalinich, Aon's global cyber practice leader, advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise, knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption, the impact on supply chains, on SCADA industrial control systems, on reputation and brand.
The anticipated introduction of mandated data breach notification should spur action, and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate. Based on international experience mandated breach notification leads to significant costs associated with legal services, regulator notification, customer notification, forensics, remediation and potentially, compensation claims.
"Take steps to mitigate, to allocate liability or minimise your own liability. This is not all about prevention it is about your response. If you have prepared a response, there is data that shows you can reduce the total cost of an incident," says Kalinich.
He also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack, nor that a third party information systems provider, such as a cloud computing vendor would have them covered. Similarly, existing directors and officers policies, and professional indemnity coverage might prove inadequate should a cyber-attack take place.
In order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with Monte Carlo evaluation techniques. The resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage.
Off the shelf policies have limited value; base cyber insurance policies can cover external hacks, malicious code and internal mistakes but may not cover the impact of a bug in the system. Consequential punitive, incidental costs are excluded from all base insurance policies as is tangible property damage, but can be negotiated in a customised policy.
Effective cyber insurance policies also cover costs associated with legal support, communications costs, forensic analysis, notification and remediation services.
Kalinich warns however that given the changes in the legal landscape and the technology terrain, this is not a set-and-forget requirement, noting that risk assessment needs to be both thorough and regular.
Armed with that insight the organisation can work with an insurance broker to find, tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk.
Cyber risk; are you properly prepared?
There are four key questions that every organisation needs to address regarding cyber risk and protection:
- What can go wrong?
- How bad can it be?
- How am I protected?
- Will my insurance work?
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer, chief information security officers, risk management head, and legal counsel. External consultants can also provide a fresh lens through which to explore exposure.
Knowing the risk is one thing dealing with it effectively also demands the support of the most senior management and board. Effective security requires a whole-organisation commitment from the top down.
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations "ought reasonably to have been aware" which suggests regulators may penalise companies found to have inadequate security systems. It is also not yet clear whether there will be any extraterritorial implications of the legislation for organisations operating overseas branches or subsidiaries.
Cyber security is a critical issue for organisations of every scale and in every sector. Robust and comprehensive security frameworks, a well-crafted response plan, and effective cyber insurance, developed in concert, and reviewed regularly delivers the maximum protection and an important competitive edge.