Written by Patrick Gunning.
KWM's 2021 Directions Survey confirmed that cyber risk is now clearly the No. 1 "top of mind" issue for directors and senior business leaders, being a key concern for over 60% of respondents.
As we've explained previously, directors should treat cybersecurity as a kind of operational risk. Many cybersecurity incidents have low impact, but the number of incidents causing a material impact on businesses has been increasing, particularly those involving ransomware.
This is reflected in the Australian Cyber Security Centre's annual threat report for the year ended 30 June 2021, which found:
"Compared to the previous financial year, the total number of cyber security incidents in the 2020–21 financial year decreased by 28 per cent and there were no Category 1 or Category 2 incidents in the 2020–21 financial year. However, a higher proportion of incidents in the 2020–21 financial year were categorised as Category 4 incidents – indicating that cyber security incidents reported this year had a more profound impact on victim organisations. This change is due in part to an increase in attacks by cybercriminals on larger organisations and the impact of these attacks on the victims. The attacks included data theft, extortion and/or rendering services offline."
In response to these trends, the Australian government has been progressing with its cybersecurity strategy.
Security of critical infrastructure legislation
The legal centrepiece of the government's response has been the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament. The bill was introduced in December 2020 and was promptly referred to the Parliamentary Joint Committee on Intelligence and Security for review. After receiving written submissions, the Committee held public hearings in June and July 2021 and the Committee's report was published on 29 September 2021 (just before this edition of On Board went to press).
The bill as introduced proposed a significant expansion of the concept of a critical infrastructure asset, so that many actors in the Australian economy will fall within its net, as opposed to its current narrow scope of operators of electricity and gas networks, ports and water utilities. The expanded scope was clearly a product of the recognition during the pandemic that many parts of the economy are 'critical'. For example, under the bill hospitals, logistics assets, food and grocery businesses, financial markets and payment systems, and telecommunications networks can be critical infrastructure assets.
The bill also proposed the introduction of various risk management and reporting mechanisms, together with a regime requiring the reporting of cybersecurity incidents affecting critical infrastructure assets and giving the government powers to 'assist' or intervene when significant cybersecurity incidents occur.
The Committee's unanimous recommendation was that
"the SOCI Bill be split in two, so that the current Bill can be amended (Bill One) to allow urgent elements of the reforms such as government assistance mechanisms, mandatory notification requirements and related measures to be swiftly legislated. This will ensure that the Government can exercise these vital powers when 'last resort' circumstances arise.
… [and]
the remaining elements of the SOCI Bill be amended in consultation with industry, and reintroduced in a subsequent Bill (Bill Two) containing the less urgent measures, such as risk management programs and declarations of Systems of National Significance (with accompanying enhanced cyber security obligations). Bill Two can then proceed at a more manageable pace for government and industry and ensure that the Security of Critical Infrastructure framework that Australia needs generates broad stakeholder consensus."
As of the date of writing, the government has not responded formally to the Committee's recommendations. However, the recommendations were supported by representatives from the governing political parties and the main opposition party, so the government may be inclined to accept them.
If this occurs, we may see the introduction and enactment of a cut-down version of the bill later in 2021, with further consultation on the remainder of the bill in 2022. In this scenario, the provisions of the bill imposing obligations on the boards of operators of critical infrastructure assets will be delayed, to allow for more detailed consideration of the impact of the proposed governance and risk management measures.
Whilst the Committee members from the opposition Australian Labor Party supported this approach, they indicated that during consultation on 'Bill Two' they would seek to revisit the immunity given to government decision makers who invoke the assistance and intervention powers in respect of cybersecurity incidents. This was an issue raised by the Law Council of Australia in submissions to the Committee.
Discussion paper canvassing governance and minimum security standards
The other legal development has been the publication by the government in July 2021 of a discussion paper canvassing various potential law reforms and practical initiatives. One section of the paper focusses on governance standards for large businesses. It says:
"There is room for cyber security governance standards to be articulated in respect of a wider range of businesses than the critical infrastructure owners and financial institutions covered by the Security of Critical Infrastructure Act 2018 and APRA's prudential standard respectively. Such a standard would need to apply across the various forms business structures can take including companies, partnerships, trusts, and sole traders, recognising that the corporate structure is the most dominant form."
The options proposed were:
- maintain the status quo;
- develop a voluntary cyber security governance standard for larger businesses, through a co-design process between government and industry; and
- introduce mandatory governance standards for larger businesses.
The paper clearly signals that the government's preference is for a voluntary standard, stating that:
"On balance, a mandatory standard may be too costly and onerous given the current state of cyber security governance, and in the midst of an economic recovery, compared to the benefits it would provide."
Another section of the paper considers whether cyber security resilience could be raised across the economy by accelerating the adoption of technical standards. The method that is proposed for consideration is the introduction of a mandatory code under the Privacy Act prescribing minimum security standards for organisations that hold personal information. The government sought feedback on whether there are high-impact lower cost cyber security controls that could be included in a code, and whether the code could be targeted at higher risk entities or technology providers that service large numbers of other businesses. The paper is clearly more supportive of the idea of a mandatory Privacy Act code that would establish minimum standards (rather than best practices) than it was in relation to the proposal for mandatory governance standards, stating that:
"implementation of a cyber security code under the Privacy Act may drive meaningful improvements in Australia's cyber security, if it is appropriately balanced against cost."
Submissions to the discussion paper closed on 27 August 2021. The timing of the government's next step is not clear, but it is apparent that there is serious consideration being given to the introduction of a mandatory code under the Privacy Act to prescribe minimum security standards to be observed when protecting personal information.
Ransomware
The ACSC's annual threat report stated that the ACSC received nearly 500 ransomware reports in the 12-month period, an increase of 15% on the prior year.
The statistics published by the Office of the Australian Information Commissioner (OAIC) on notifiable data breaches for the period January to June 2021 also highlighted the importance of ransomware attacks. The OAIC's report found that malicious or criminal attacks remain the leading source of data breaches (65% of those notified in the period). The main forms of those attacks were email-based phishing (30% of all malicious or criminal attacks), compromised or stolen credentials (27%) and ransomware (24%). The OAIC report specifically mentions that several entities affected by ransomware concluded that an "eligible data breach" had not occurred due to a lack of evidence that access to, or exfiltration of, data had occurred. This approach was criticised:
"It is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred. Where an entity cannot confirm whether a malicious actor has accessed, viewed or exfiltrated data stored within the compromised network, there will generally be reasonable grounds to believe that an eligible data breach may have occurred and an assessment … will be required."
It seems odd that entities that have suffered a ransomware attack would be reckless as to whether personal information may have been accessed or exfiltrated. It is commonplace for the attackers, when seeking payment of a ransom, to provide some concrete evidence that they have copied particular files. This leads to an obvious chain of inquiry by forensic investigators into the nature of the data held in those files.
In our experience, the much more difficult scenario arises when an organisation's data is in the possession of a service provider, and the service provider's systems have been compromised by ransomware. In these circumstances the service provider conducts the forensic investigation and if anyone is in communication with the attackers it is the service provider. The service provider will not admit to its clients that it has paid a ransom but may make statements such as "we consider there is no real risk of misuse of any personal information". The most obvious inference is that a ransom has been paid, and the client organisation must then make its own judgement as to whether a real risk of serious harm to individuals exists. This boils down to an assessment of the likelihood that the client organisation's data has been compromised, the kind of personal information (if any) contained in that compromised dataset, and whether the attacker (usually an organised criminal) can be trusted to not leak any stolen data on the dark web after being paid off.
In March 2021, the Cyber Security Industry Advisory Committee appointed by the government published Locked Out: Tackling Australia's Ransomware Threat. This is a good publication for those seeking to understand ransomware in more detail.
And in July 2021 the same Committee published its annual report, which contains an assessment of the contribution by Australian industry to promoting cybersecurity and made recommendations for focus over the next year. One recommended focus area relates to ransomware and the efficacy of cybersecurity insurance as a mitigant. The Committee called for "the development of a clearer policy position on the payment of ransoms by organisations subject to ransomware attacks" and for the government to undertake "a review of cyber insurance regimes to understand their efficacy in mitigating cyber threats".
The availability of insurance to cover ransom payments clearly has the potential to encourage ransomware attacks against those holding such insurance. Insurers offering such insurance have been hacked themselves, and the speculation is that the hackers are going after customer lists to identify potentially lucrative targets in the form of businesses that hold insurance. For example, it was reported in May 2021 that US-headquartered insurer, CNA Financial Corp, paid US$40 million in ransom after suffering an attack in March. The company felt compelled to state that it did "not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted."
It will be interesting to follow what, if anything, the Australian government does to discourage the payment of ransoms, including whether to intervene in the insurance market to make it unlawful for insurers to reimburse their clients for ransom payments.