The Perspectives on Cyber Risk 2021, in its sixth year, noted that there are cyber risk regulatory changes relating to privacy and data protection and governance, with ASIC and the ASX increasing their focus and action. Significant changes to Australia’s privacy landscape also loom.
MinterEllison partner, Paul Kallenbach reflected that the awareness of cyber risk among the director community – and non-tech executive community – has increased substantially. “Six years ago, we were imploring those at the top of organisations to take notice of this issue – it is now expected that cyber risk has a high profile at board level,” Kallenbach said.
Regulators have been signalling action for many years and companies are elevating their levels of compliance. ASIC has now identified 'deterrence-based enforcement action' as one of its critical cyber supervisory projects for 2021.
“Woe betide any director who doesn’t consider this to be a top five risk for the organisation – the risk is prevalent and increasing and regulators are watching,” Kallenbach said.
MinterEllison found that more organisations are testing their data breach response plans, but this is still not enough, and more needs to be done to protect against cyber attacks. The report revealed that 55% of survey respondents indicated that their data breach response plans were being tested at least annually, compared with 34% last year. Those firms that are not regularly testing their plans operate at higher risk.
The existence and regular testing of data breach response plans are more prevalent in larger organisations, particularly those who have previously dealt with cyber attacks, such as the financial services sector.
“Unfortunately, the most effective lever to persuade an organisation to test its data breach response plan is for it to suffer a serious cyber risk incident. Such an incident will take a company from having a plan to testing that plan,” Kallenbach said.
Other key findings
- Individuals remain the prime targets of cyber attacks. Despite the high-tech nature of some attacks, individuals remain the ‘weak link’, and hence a critical focus of cyber security planning. While 70% of incidents arose from phishing attacks, a further 17% of incidents involved invoice fraud, leaving just 13% of incidents arising due to technical forms attack (such as DDoS attacks).
- The rate of adoption of external cyber frameworks remains low. External frameworks, such as the Australian Signals Directorate's Essential Eight, provide valuable guidance on best practice for managing cyber risk; however, less than 50% of organisations have taken steps to assess their cyber security maturity against such a framework.
- Almost 40% of survey respondents faced increased cyber security risks due to the shift to remote working. Others found that COVID-19 exposed latent and underappreciated cyber issues.
MinterEllison advises organisations and their Boards to:
- Focus on the supply chain
Organisations should develop a thorough understanding of their supply chain, including their key vendors’ IT security and operational postures to mitigate against the introduction of weak links. APRA-regulated organisations must do this in order to discharge their obligations under APRA’s Prudential Standards.
COVID-19 has exposed the critical importance of resilience in the procurement and operation of crucial ICT systems in helping to mitigate against events that may be outside of an organisation’s control.
- Keep up the regular training
Most cyber incidents still result from human error. A regular program of security training and awareness is critical to addressing this.
Organisations should consider joining an industry group or forum to share intelligence regarding cyber risk and evolving cyber threats.