An update on the latest cyber issues facing public and private sector organisations, from responding to the increased risk of ransomware attacks to trends in negotiating security clauses in government and private sector contracts.
As technology develops so do the methods of gaining data illegally, and with it the development of laws, regulations and contractual protections aimed at keeping up with the rapidly evolving area of cyber law.
Partners in our market-leading* cyber law team – Caroline Atkins, Sonia Sharma and Brendan Tomlinson – provide an update on the latest cyber issues facing public and private sector organisations, from responding to the increased risk of ransomware attacks to trends in negotiating security clauses in government and private sector contracts.
This article provides you with practical guidance and checklists so your organisation can evaluate how it is tracking and what steps it may need to be taking to be better equipped to deal with these crucial cyber law issues and emerging trends in the market.
We have also summarised the Commonwealth Government's Ransomware Action Plan which contains a commitment to a new mandatory reporting regime, in response to the sharp increase in ransomware attacks. You can read that article here.
Are you actively managing your cybersecurity plan or did you ‘set and forget’?
Sonia Sharma, Partner, Sydney
It’s been more than three years since the Commonwealth Government introduced its mandatory reporting regime for data breaches. Only last week the Government announced plans for a mandatory reporting regime for ransomware attacks following the significant rise in these incidents.
What we have seen is that this space is constantly evolving and entities cannot take a ‘set and forget’ approach when it comes to their privacy and cyber security posture. Everyone from frontline staff to the Board has a role to play and we need to see entities move from a reactive approach to a proactive and resilient approach to dealing with privacy issues and cyber security threats.
This means a clear privacy and cyber framework, clear roles and responsibilities and regular training and education of staff through to the Board.
To help you with this, we have produced the following cybersecurity checklist.
Your cybersecurity checklist
We regularly advise clients on how they can implement and manage a proactive cybersecurity program. We have condensed this advice to the following checklist of questions you need to be asking within your organisation.
- Is cybersecurity a Board concern? ASIC makes it clear, given the magnitude and prominence of cyber risk for most organisations, that informed oversight of risk involves the Board being satisfied cyber risks are adequately addressed by the risk management framework of the organisation.
- Is your data breach response plan regularly reviewed and kept up to date for the latest market and regulatory developments such as the increased prevalence of ransomware attacks and new legislative obligations?
- Do you have a privacy management plan to embed a culture of privacy, establish robust and effective privacy practice, implement procedures and systems, evaluate what you are doing and enhance your response?
- Do you have appointed privacy and cyber champions within the business? These issues are a whole of business concern and not merely the responsibility of IT or legal.
- Do you provide regular training and education which is ‘fit for purpose’ at all levels, from front line staff (such as phishing email campaigns) to the executive and the Board (e.g. running table top and hypothetical scenarios)?
- How do you monitor and stay on top of the latest developments and trends?
- When was the last time you conducted a data mapping exercise to understand the data you hold and the systems used?
Data security provisions in ICT contracts for government
Caroline Atkins, Partner, Canberra
Knowing the security and, in particular the data security, protections ICT vendors apply is paramount to government agencies being able to reassure their stakeholders and the general public that their data is safe.
The whole ICT industry, both buyers and sellers, is increasingly focused on achieving robust security safeguards. Security is now a core focus of best practice procurement processes, and we all need to know how to build the best possible contract protections for security risks. Doing so effectively is an ‘art form’, requiring a combination of deep security knowledge, investigation of individual vendor security approaches, contract drafting ability and excellence in negotiation skills.
Security, for Commonwealth agencies wishing to procure ICT products and services, is a minefield of law and policy, comprising a mixture of legislative data and security controls, security guidance policies, identity management tools and frameworks, and data hosting policy requirements.
Here are some current tips to help you navigate this complex web for your ICT procurements.
Tips for your next ICT procurement
- Investigate vendor representations about security and also publicly available information about security incidents they have had to deal with.
- Utilise and incorporate security policy requirements. For example, make sure your contracts reflect and incorporate obligations which reflect the Commonwealth’s Data Hosting Strategy and the Data Certification Framework.
- Specify data access restrictions as well as specifying data storage locations.
- Rather than seeking a security guarantee, look for the best possible security mitigations.
- Require proactive and not reactive reporting on security threats.
- Request and review information about vendor supply chains.
- Build security requirements into your business functional requirements, and don’t leave them to be an add-on.
- Make sure the product price includes the best possible security features.
- Read available security review reports about vendors and their products, and make sure your contract implements any recommendations from the reviewers.
- Make sure your contract governance, reporting and review processes actively cover security matters.
- Be creative and build remedies that motivate the highest possible security standards.
- Provide for access to vendor data backups noting that most vendors provide public reassurance of their backup capabilities.
No one can guarantee that a cyber attack won’t occur, or that an attack won’t be successful. But don’t take ‘no’ for an answer on the above – look for ways to reflect these requirements that work for your circumstances.
Good ICT vendors have robust and strong security practices and procedures. But vendors are increasingly risk averse in accepting contract obligations relating to security.
Customers can exercise a degree of control over what matters to them, including their data. But customers cannot control the quality of security a vendor will apply to its products and services.
So customer contracts need to include modern security protections.
What you need to avoid
- Relying only on references to vendor security policies, which may not contain any contractually enforceable security obligations.
- Allowing vendors unilateral rights to vary their security policies, unless you can impose limits on those rights (e.g. no material degradation in security) and/or negotiate remedies such as early termination rights.
- Accepting that vendors cannot implement your specific security requirements – it might cost a bit more, but vendors are now showing they can be more flexible if needed.
- Allowing vendor security policies to override the contract.
Assisting customers and suppliers to negotiate security provisions in technology deals
Brendan Tomlinson, Partner, Sydney
We have seen an increasing focus on security obligations and related liability positions, to the point where these are often the most critical issues in ICT contract negotiations and a key part of any tech procurement. (Anyone else remember the old days when privacy provisions were seen as ‘boilerplate’ and security provisions were largely left to the techies?)
While many organisations have robust template contracts, in practice the specifics of the arrangement (e.g. type of data involved, data flows, whether the solution is on-premises or cloud-based etc) need to be carefully considered and will drive the negotiation. Large organisations are increasingly aware that suppliers (and their subcontractors) can be targeted as potentially the weakest link in their security arrangements, and are requiring a much deeper, ongoing involvement in their supply chain’s security arrangements, as technology best practices continue to evolve, as do cyber threats.
Observations and tips
Observation: We regularly see a ‘battle of the policies’, with customers requiring a suite of detailed technical measures regarding the supplier’s solution, technical and physical security, personnel and practices; and with suppliers arguing their own policies are sufficient.
Observation: Customers’ requirements have become more prescriptive over time. For example, they are increasingly requiring detailed, step-by-step and iterative obligations around security incidents.
Observation: We have seen a renewed focus in negotiations on confidentiality provisions (which again, had been seen as ‘boilerplate’), given these are so intertwined with security obligations and risk allocation.
Tip: Where banks and other APRA-regulated entities are involved, prudential standards such as CPS 234 need to be considered and addressed.
Tip: Security should be seen as a Board issue, and indeed, for financial institutions, CPS 234 specifies this is the case.
Observation: Customers are increasingly requiring suppliers to have cyber insurance policies in place.
Tip: Most ICT contracts we see require suppliers to notify the customer of suspected or actual data breaches or incidents, but it is also important to ensure suppliers are obliged to continuously monitor for attacks. (There are plenty of examples where breaches have not been discovered until well after the first intrusion.)
Tip: Organisations should review older contracts in case they need to be amended to improve security protections and address requirements to notify data breaches to the OAIC, affected individuals and, in the case of financial institutions, APRA.