• Only 51% are very confident understanding regulatory and contractual obligations in a data breach
• 57% of respondents said third party suppliers or vendors had experienced a cyber attack or data breach in the last 12 months
• Privacy regulatory reforms are expected this year.

MinterEllison's Perspectives on Cyber Risk 2024 highlights the need for organisations to rapidly enhance their data governance. The past 12 months have seen data breaches increase in frequency, scale and severity in Australia and around the world, with the health and finance sectors particularly impacted, driven predominantly by malicious or criminal activity.

Concurrently, rapid advancements in new technologies, including artificial intelligence (AI) and machine learning (ML), present both opportunities and challenges for organisations – including in managing and mitigating cyber risk.

MinterEllison Partner Paul Kallenbach, one of Australia's leading legal experts in Information Technology, Outsourcing, and Privacy & Data Security, and lead author of Perspectives on Cyber Risk said:

"Cyber risk and cyber resilience are more pressing than ever for Australian organisations. Heightened geopolitical factors, new regulatory requirements, an increasing prevalence of cyber attacks, and an increasing reliance on technology and data mean that organisations must take proactive steps to build and maintain their cyber resilience"

In MinterEllison's Cyber Risk survey, third party data risk is an area of growing concern. 57% of respondents told MinterEllison that their third party suppliers or vendors had experienced a cyber attack or data breach in the last 12 months – underscoring the need for organisations to develop a thorough understanding of their supply chain and implement robust cyber risk mitigation strategies to address cyber threats within it.

Of concern, only 46% of our respondents told us that they were confident that their organisation knows what data it stores, where it is stored, what controls protect it, and who has access to it. This indicates that many Australian organisations need to focus on and improve their data governance.

"We have seen cyber-attacks in Australia and globally greatly increase in sophistication and frequency. The dynamic landscape of technological evolution, propelled by artificial intelligence and machine learning is providing a hotbed for organisations to encounter a spectrum of emerging challenges alongside great opportunities. Amidst this wave of innovation, cybersecurity is reaching a critical focal point." said Shannon Sedgwick, Partner, Technology Consulting, Cyber Risk.

It is critical for organisations to regularly test and rehearse their plans. This year, 63% of respondents told us that they tested or rehearse the plan regularly (at least annually). Although this is an improvement against last year’s survey result of 52%, it signals there is further work to be done by many organisations to ensure that they are adequately prepared to effectively manage a cyber incident.

Coming privacy regulatory reform

The report findings observe that in response to the increasing frequency and severity of data breaches affecting millions of Australians, the Office of Australian Information Commissioner (OAIC) has adopted a more stringent and proactive stance in its enforcement of the Privacy Act. In particular, the OAIC has been taking a more robust approach in its assessment of whether eligible data breaches have been notified in a timely manner, as demonstrated by recent cases.

"There is a shared understanding amongst Australian regulators that enhancing cyber resilience is vital for Australia’s long term socio-economic stability and national security. The ACCC has intensified its scrutiny of data handling practices by Australian organisations this past year, in response to the growing risks and challenges posed by the digital economy” said Kallenbach.

Australian regulators have been active in proposing and implementing law reforms to enhance cyber resilience, accountability and transparency, across every sector and industry of the Australian economy.

50% of survey respondents told us they were either not confident, or were only somewhat confident, that they understood their regulatory and contractual obligations in the event of a cyber attack or data breach – a result that is of concern because obtaining a detailed understanding of these matters is within the control and capability of most organisations. With coming reform, this exposes many organisations to potential regulatory vulnerability.

“Cyber preparedness is a continuous journey, it is not a destination,” said Kallenbach.

MinterEllison's Perspectives on Cyber Risk report outlines the ten lessons for best practice Cyber Response.

1. Don’t underinvest in cyber. Underinvesting in cyber security can result in financial losses, reputational damage, legal jeopardy, and operational disruption.
2. This is more serious than ever. Cyber breaches are instigated by diverse threat actors, including cyber criminals driven by financial motives, nation-state actors engaged in espionage and disruptive cyber attacks, hacktivists promoting social or political agendas, organised crime groups seeking financial gains, ‘script kiddies’ causing disruptions for notoriety, advanced persistent threat (APT) groups conducting targeted cyber espionage, and rogue insiders misusing their access.
3. Have a plan. In the critical first 24-48 hours of responding to a ransomware or other cyber attack, maintaining a calm and rational approach is essential because panic tends to lead to poor decision-making.
4. Bring in third party experts to assist you at an early stage. Engaging third party experts in the early stages of cyber attack preparedness provides organisations with specialised knowledge, objectivity, and experience.
5. Don’t engage in ‘blamestorming’. Avoiding blame during a cyberattack within an organisation is crucial because it allows for a more focused and effective response.
6. Don’t notify too early. It is crucial to strike a balance by aligning notification with legal requirements and ensuring a comprehensive understanding of the incident before involving regulators and affected individuals.
7. Expect the unexpected. Cyber threats are diverse, ever-changing, and can exploit unknown vulnerabilities – which means that organisations should anticipate the unexpected.
8. Place impacted individuals (and not the organisation) at the centre of the investigation. Focus on prioritising impacted individuals over the organisation when preparing breach notifications and deciding on and implementing remediation measures.
9. Co-operate with regulators. Adopt a proactive and cooperative stance when dealing with regulators. This involves assuming that different regulatory bodies (such as the OAIC, ASIC and the ACCC, and overseas regulators) will communicate and confer with each other.
10. Learn from the incident (and from incidents affecting others). Organisations should extract lessons from data breaches, including those that have affected others. This includes taking a proactive approach to data governance practices and evaluating the necessity of retaining all data.

LEARN MORE AND DOWNLOAD REPORT

Methodology

Data was collected through our annual online survey between January and March 2024. From more than 160 respondents were comprised of legal counsel and C-suite executives including IT, risk and security specialists and Board members. The year's key sectors represented in the survey included finance, energy, health, real estate, infrastructure, government and technology, media telecommunications.