Documente Academic
Documente Profesional
Documente Cultură
CYBER RISK
2017
04 Introduction
06 Methodology
07 Key findings
08 Finding One
Growing concern over cyber risk
12 Finding Two
Cyber risk and the supply chain
16 Finding Three
Cyber security is not an IT issue
20 Finding Four
The changing privacy landscape
24
Finding Five
Cyber insurance is on the rise
27 How we can help
28 Contacts
$6
National Convention and consequent and individuals (including a number of cost the world in excess of
email leaks. world leaders).
A US$81 million cyber heist involving an Distributed denial of service (DDoS)
attack against global financial messaging attacks against security researcher Brian
system SWIFT. Krebs, French media company OVH,
Large data thefts from social media the Rio Olympics online presence, the
networks, including Tumblr (65 million Australian Bureau of Statistics eCensus
trillion
accounts), LinkedIn (117 million accounts), website, and domain name server
AdultFriendFinder.com (339 million company Dyn. The attack against Dyn was
accounts), Myspace (427 million accounts) particularly devastating, disrupting internet
and Yahoo (500 million accounts). connectivity for around 70 companies, annually
including giants like Twitter, Spotify, Paypal,
The attack against Panamanian law
Airbnb and Reddit.
firm Mossack Fonseca, which resulted
in the theft of more than 11 million
three
Cyber security is still
four
The privacy landscape is
five
The increasing uptake of cyber
(wrongly) seen as being changing – both in Australia insurance indicates some
primarily an IT issue and overseas willingness to act on managing
cyber risk
12 MONTHS
Our survey results In 2015, just over 40% of our CIO survey In our Board survey, 44% of organisations About 47% indicated that they do not
respondents considered they had a very responded that the Board is only briefed on regularly audit their suppliers’ IT security
show that, although good understanding of their organisations’ cyber security issues annually or on an ad hoc practices (largely unchanged from 2015).
organisations are aware exposure to cyber incidents. However, in basis, while 13% of organisations said that the Over 40% indicated their organisation does
of the ever increasing 2016, only 10% indicated they had a very Board received no briefings at all.10 not have a data breach response plan (up
good understanding, while more than 20% In our CIO survey: from 27% in 2015).
cyber security threat, considered they had a poor understanding.
Just over half of respondents indicated Only 8% of respondents conduct regular
many are still not taking Our results also indicate there has been their organisations had increased their internal staff training on IT security issues
little change in the practical actions that
appropriate steps to expenditure on IT security over the more frequently than annually (only
organisations are taking in order to address previous 12 months (similar to 2015). marginally improved from 2015).
properly understand the cyber risk.
Less than 20% indicated they regularly And for those organisations that do have
extent of their exposure, assess their customers’ cyber risk profile a data breach response plan, nearly 44%
42%
and to implement (largely unchanged from 2015). reported they do not regularly test that plan
(at least annually).
necessary practical
measures to mitigate
cyber risk and improve
their cyber resilience.
do not have a data breach response
plan (up from 27% in 2015)
“
[We need to] provide additional resources
and budgets to strengthen our cyber security.
about reviewing
and testing
their own cyber
resilience (and the
cyber resilience of
their suppliers)
suppliers’ IT security
practices (largely
unchanged from
2015). “
[We need] independent review
of cyber protection for adequacy.
Other examples of data breaches occurring Yet, according to our CIO survey, only a third of Other legal and regulatory consequences,
because of third party suppliers include: organisations regularly audit their suppliers’ IT including breach of the Corporations Act 2001
Cogent Healthcare’s 2013 data breach, security practices, while more than 90% plan (Cth) (Corporations Act), and under ‘long arm’
where a medical transcription vendor’s to deliver one or more of their IT functions via overseas legislation (such as the EU General
security lapse resulted in the data of 32,000 the cloud over the next 12 months. Data Protection Regulation) are considered in
patients being inadvertently published on Findings 3 and 4 of this report.
Risk of legal and regulatory action
a publicly exposed server. In addition to potentially significant financial
US Home Depot’s 2014 data breach, where and reputational consequences, organisations
hackers used credentials stolen from a third may face legal and regulatory action for
party vendor to gain access to point of failing to properly consider and manage
sale data and steal the details of 56 million supply chain risk. For example, under the
payment card accounts. accountability provisions in the Australian
Vulnerabilities in the web-based platform Privacy Act 1988, organisations that disclose
of photo service vendor PNI Media, personal information overseas are deemed
resulting in the theft, during 2014 and to be responsible for the acts and practices
2015, of the personal information of many of their overseas vendors in relation to that
thousands of Costco and CVS customers. information (unless an exception applies).
More than
90%
plan to deliver one or more of
their IT functions via the cloud
over the next 12 months.
56%
an IT issue
IT departments
principally
responsible
Potential for legal exposure if directors don’t take Corporations Act). No such action has, as yet, been brought Responsibility for breaching APRA’s prudential standards
appropriate action in Australia in relation to a cyber incident. However, with relating to outsourcing for organisations regulated by APRA
In addition to the reputational harm to the organisation that the increase in shareholder activism and litigation-funder (banks, insurance companies and most members of the
may result from a cyber incident, there is the potential for driven class actions against companies and directors (both superannuation industry).
substantial legal exposure (including personal liability on the in Australia and overseas), and the ever increasing volume
part of directors and employees). This may include: and sensitivity of data being handled by organisations, a
derivate action stemming from a large-scale data breach
Personal liability for directors for breach of their obligations
under section 180 of the Corporations Act. This section
may only be a matter of time. A cyber-attack can affect us all. It can
requires directors to exercise their powers and discharge Where the organisation is an ASX-listed entity, liability for undermine businesses and impact
their duties with reasonable care and diligence. Given the breach of the continuous disclosure rules, which require an our economy. It may also erode
widespread coverage of cyber incidents, particularly over organisation to disclose matters that a reasonable person investor and financial consumer
the last five years, and public statements of Australian and would expect to have a material effect on the price or value
trust and confidence in the financial
overseas corporate regulators as to the proper approach of the organisation’s shares16. Although the vast majority
of data breaches are unlikely to reach this standard, it is
system and wider economy.
to cyber risk, it seems apparent that directors must now
consider cyber risk as part of their risk management activities, conceivable that a particularly serious data breach (of the
The Australian Securities and Investments
and implement appropriate strategies to mitigate it. scale and severity of the Target or Sony Pictures breaches) Commission (ASIC)6
would invoke these continuous reporting obligations.
Where the organisation has raised capital from investors
through a public offer, personal liability for directors if cyber Liability of the organisation (and potentially its officers or
risk is not adequately disclosed in the relevant prospectus. If employees) for claims of misleading or deceptive conduct
Effective board oversight of
cyber risk is a significant factor for the organisation such that under the Competition and Consumer Act 2010 (Cth), for
example, as a result of failing to act in accordance with the
management’s efforts to address
it would form part of the information that investors and their
organisation’s privacy policy. Although no such action has yet [cyber security] issues is critical to
professional advisers would reasonably require to make an
informed assessment of the organisation’s offer, the directors been brought in Australia, the US Federal Trade Commission preventing and effectively responding
of that organisation may be personally liable (under section has launched over 50 enforcement actions against to successful cyber-attacks and,
729 of the Corporations Act) for loss or damage suffered organisations relating to cyber security under equivalent ultimately, to protecting companies
by investors as a consequence of cyber security issues provisions of the US Federal Trade Commission Act17. and their consumers, as well as
materialising, if cyber risk was inadequately disclosed. Liability for breach of contract claims from suppliers or protecting investors and the integrity
Derivative shareholder actions against directors where such customers, for breach of specific obligations imposed on
the organisation in relation to data security, the protection
of the capital markets.
an action can be shown (to the Federal Court) to be in the
best interests of the company (under Part 2F.1 of the of personal information, and obligations of confidence
Luis Aguilar, Commissioner, US Securities and
(which may, in some cases, permit the termination of the Exchange Commission (SEC)7
contract by the affected customer or supplier).
Adopt written cyber security policies, Appoint a Board member who has cyber If the organisation is a listed company,
procedures and internal controls, including: security expertise, or alternatively, appoint comply with continuous disclosure
• C
learly setting out who in management an independent expert who can present to obligations in relation to cyber incidents
has primary oversight of cyber the Board on cyber security issues. that may reasonably be expected to
Boards must be cyber security issues. Adopt a cyber ‘value-at-risk’ model that materially affect the price or value of the
not only quantifies cyber risk in financial organisation’s shares.
risk aware, and there • Adopting and regularly reviewing the
terms, but enables the Board to formulate If the organisation is seeking to raise capital
company’s data breach response plan.
are a number of steps • M
aintaining a responsive approach to
strategies and controls in relation to cyber from retail investors, clearly and concisely
risk, to treat cyber resilience as a potential outline the cyber risks faced by the
they can take. new threats or elevated threats against differentiator, and to track the organisation’s organisation in any prospectus or public
an agreed risk appetite. cyber maturity across time. offer document that is issued.
• R
eceiving and reviewing regular reports Review annual budgets for IT security and
on cyber security incidents. data protection expenditure (including for
cyber insurance).
• S upporting cyber awareness and training
across the organisation.
“
[We need to] continue to educate our people that cyber
security is an organisation wide issue, not an IT issue.
changing, both
in Australia and
DATA
overseas
BREACH!
2015). This will now to suspect that there may have been an
eligible data breach (and to take reasonable
bodies under Part IIIA of the Privacy Act and
the registered Credit Reporting Code in
State and Territory health records laws.
Contractual requirements imposed on
happen. steps to complete that assessment within relation to the security of credit and credit organisations that collect and handle
30 days). eligibility information. payment card information under the
Unless an exemption applies, make the The data security requirements imposed by Payment Card Industry Data Security
prescribed notifications to the OAIC (and, if the Privacy (Tax File Number) Rule 2015. Standards (PCI DSS), which set out
practicable, to affected individuals) as soon Requirements imposed on obligations to maintain the security of
as they are aware that there are reasonable telecommunications carriers and card information and respond when
grounds to believe that there has been an internet service providers under the data breaches involve payment cards or
eligible data breach. Telecommunications (Interception and cardholder data.
Other Australian privacy and data security Access Act) 1979 (Cth) to maintain the Mandatory data breach notification
requirements confidentiality of the metadata that they requirements imposed on healthcare
are required to retain under that Act. provider organisations, registered
The scheme will be in addition to all of
Legislative requirements imposed on contracted service providers as well as
the existing privacy and data security
Commonwealth, State and Territory registered repository and portal operators
requirements imposed by Australian
government agencies in relation to under the My Health Records Act 2012 (Cth).
Commonwealth, State and Territory
In Finding 3 we discussed other legal risks data subjects that takes place in the EU, to
to an organisation that may result from a adhere to those standards.
cyber incident, including liability arising Provides for the imposition of penalties for
under Australian corporations and consumer breaching the GDPR of up to €20 million
protection legislation. or 4% of annual worldwide revenue,
Overseas privacy and data security laws whichever is higher.
In addition to Australian laws, organisations Requires organisations (whether or not
must be aware of overseas privacy and data based in the EU) to provide EU data
protection laws that may apply to them, subjects with the ability to have their data
either because they do business in one or deleted or modified, to request reasons
more overseas jurisdictions, or because for decisions, to object to automated
‘long arm’ overseas regulation may apply to decisions or profiling and to request
their activities. manual intervention.
This includes mandatory data breach Provides for mandatory data
notification requirements in: breach notification.
47 US States This GDPR has significant implications for
Alberta, Canada (with the whole of Canada organisational process change requirements,
expected to be subject to a mandatory and is likely to impact many Australian
Federal notification scheme by 2018) organisations that hold the data of EU data
subjects or that do business in the EU.
South Africa and South Korea.
Some US commentators have expressed
Moreover, from April 2018, the European
concern that the effect of mandatory data
Union’s General Data Protection Regulation
breach notification is increased class actions,
(GDPR) will come into effect. The GDPR:
triggered by harm caused by the breach.
Mandates stringent data security and
This may ultimately occur in Australia as
privacy protection standards.
notifications increase. Breach prevention, and
Operates extraterritorially in requiring failing that, swift and effective containment
non-EU organisations that offer goods and notification to mitigate and redress harm,
or services online to data subjects in the will be critical.
EU, or who monitor the behaviour of EU
Our CIO survey While five years ago cyber insurance was
a niche product offered by only a small
collaborative process, insurers are increasingly
partnering with IT professionals, forensic
for insured organisations include cyber risk
assessments by specialist IT professionals,
results show that a handful of insurers in the Australian market, accountants, public relations professionals credit monitoring services and data breach
most blue-chip Australian insurers now offer and regulatory lawyers to provide a holistic response training.
rising proportion of tailored policies covering cyber risk, privacy response to cyber incidents. Traditional With the passage through Federal Parliament
and data security losses. claims management protocols are commonly
organisations are In the past 12 months we have seen the set aside in favour of insured organisations
of the Privacy Amendment (Notification of
Serious Data Breaches) Bill 2015, the uptake of
electing to purchase continued evolution of cyber insurance accessing urgent ‘breach coaching’ services
from these teams of professionals through
specialist cyber insurance is likely to continue
offerings, from traditional policies focused rising in the coming year.
specialist cyber on liability to third parties, to comprehensive telephone hotlines, websites or monitored
email addresses.
insurance to help hybrid products covering additional losses
such as breach response costs, regulatory Cyber risk insurers are providing value-add
manage the risks expenses and business interruption. In
recognition that cyber resilience is a
services to assist organisations in becoming
more cyber resilient. Common value-adds
associated with a
cyber incident.
Advise on privacy, data protection and cyber-related legal and commercial issues.
Develop and deliver cyber risk and privacy compliance tools
through face-to-face and online training (including via our award winning Safetrac online compliance system).
Plan for, respond to and rebuild from, a data breach or cyber incident,
including breach coach services (where MinterEllison leads the data breach response process).
Paul Kallenbach Anthony Lloyd Anthony Borgese Amanda Story Cameron Oxley Veronica Scott Leah Mooney John Fairbairn
Partner Partner Partner Partner Partner Special Counsel Special Counsel Partner
T +61 3 8608 2622 T +61 2 9921 8648 T +61 2 9921 4250 T + 61 2 6225 3756 T +61 3 8608 2605 T +61 3 8608 2126 T +61 7 3119 6230 T +61 2 9921 4590
M +61 412 277 134 M +61 411 275 811 M +61 400 552 665 M +61 423 439 659 M +61 417 103 287 M +61 411 206 248 M +61 421 587 950 M +61 410 475 965
Endnotes
1
Australian Government, Australia’s Cyber 5
ASIC, Cyber resilience: Health check (March 4
These results are consistent with the New 2016), available at http://bit.ly/2lEHf8o.
Security Strategy, April 2016 at 15, available at 2015), available at http://bit.ly/1HyFGJC York Stock Exchange’s 2015 Cybersecurity in 7
Speech by SEC Commissioner Luis Aguilar,
http://bit.ly/1r6MNr0 6
Office of the Australian Information the Boardroom survey (available at http:// Cyber Risks and the Boardroom (June 2014),
2
US National Initiative for Cybersecurity Commissioner, Data breach notification – bit.ly/1P4v5yX), which found that 42% of available at http://bit.ly/2kFtG8M.
Careers and Studies Glossary, available at a guide to handling personal information surveyed Boards only discussed cyber security 8
Speech by ASIC Chairman Greg Medcraft,
http://bit.ly/2jrROaX security breaches issues ‘occasionally’.
Building Resilience: The Challenge of Cyber Risk
3
European Commission, Cybersecurity Strategy (August 2014), available at http://bit. 5
Interesting, Intel Security’s 2015 Grand (December 2016),
of the European Union: An Open, Safe and ly/1XVFk9h Theft Data report (available at http://intel. available at http://bit.ly/2m1B7Y7.
Secure Cyberspace (2013), 1
Cybersecurity Ventures, 2016 Cybercrime ly/2kFXBMP) found that external actors were 9
Speech by SEC Commissioner Luis Aguilar,
available at http://bit.ly/1Gp5CbC Report, available at http://bit.ly/2bHNaBz. responsible for only 57% of data breaches,
Cyber Risks and the Boardroom (June 2014),
while 43% of data breaches were caused by
4
J J Cebula and L R Young, ‘A Taxonomy of 2
2016 Cyber Attack Statistics, www. available at http://bit.ly/2kFtG8M.
the actions (whether negligent or malicious)
Operational Cyber Security Risks’ (2010) hackmagedon.com. 10
ASX Listing Rules, Rules 3.1, 3.1A and 3.1B.
of trusted insiders.
Technical Note CMU/SEI-2010-TN-028, CERT 3
US Department of Justice, How to Protect Your Paul Ferrillo and Christophe Veltsos, Take
11