Getting incident response right in a changing cyber threat environment

10 August 2023

Rapid advances in the methods deployed by threat actors have rendered the cybersecurity landscape inherently complex and unpredictable. As cyber threats continue to evolve in their frequency, sophistication and impact, boards must be prepared to treat them as being at the same level of importance as other financial, legal and regulatory considerations.

At the centre of any cyber risk framework should be an incident response plan that is shrewd and sufficiently flexible to deal with not only present foreseeable risks but also emerging and possible ones.

Even though malicious cyber actors seek to exploit system vulnerabilities and steal valuable corporate assets, affected companies are nonetheless no longer perceived by the public, media and regulators to be mere “victims”. Companies are expected to turn their minds to implementing organisational frameworks and strategies to prepare for and manage a cyber incident. From a commercial and legal perspective, it is simply no longer acceptable to relegate cybersecurity to IT departments.

Despite this, many C-suites still prioritise investing in their technical capabilities without developing a wider compliance framework. This is not based on an inadequate appreciation of the seriousness of cybersecurity – indeed, they regard it as a more significant issue than the COVID-19 pandemic, economic volatility and climate change. Rather, their reliance on an ‘outdated’ approach to cybersecurity management is often what leads them to fail to properly adapt to the emerging cyber threat environment, the general features of which are outlined below:

Cyber threat actors	State-sponsored actors, cybercriminals, hacktivists, cyberterrorists, thrill-seekers, insider threats
Motives for cyberattacks	Geopolitical, profit, ideology, violence, satisfaction, vindication
Exploitation methods	Malware, phishing, denial-of-service attacks, spoofing, identity-based breaches, code injection, social engineering, supply chain attacks, insider threats, DNS tunnelling, IoT based attacks
Common attack vectors	Compromised credentials, weak or stolen credentials, unpatched applications or servers, insufficient authentication, phishing emails, psychological manipulation (i.e. impersonation), vulnerability exploits, poor encryption, misconfigurations, exploitations of trust, rogue insider
Why are ransomware attacks becoming increasingly common?	Lower barriers to entry, more advanced techniques, recognition of its scalability, goal to place pressure on organisational resources, increased data leaks
Key sectors targeted	Healthcare, finance, insurance, accounting, legal, management, recruitment
Consequences	Financial, reputational, operational, litigation and regulatory responses

The rising need for cyber-aware directors

Directors must ensure that in responding to these threats they discharge their duties with care and diligence and in good faith in the best interests of the corporation.

When a court looks to consider whether directors have failed in their duties in relation to a cyber incident, it would likely give substantial weight to the steps directors took and their preparedness. The directors will need to exercise a degree of care and diligence that a reasonable person would have exercised in her or his position to ‘prevent a foreseeable risk of harm to the interests of the company’.

This may involve an evaluation of the extent to which the directors have:

upheld cybersecurity best practices;
reasonably informed themselves of risks (they cannot merely ‘do as advised’ by cybersecurity experts);
addressed vulnerabilities (including through proper communication with shareholders); and
implemented frameworks to both address foreseeable risks and respond to them.

In order to avoid a claim that the directors have breached their duties under s 180 and 181 of the Corporations Act 2001 (Cth), they will need to establish that they took reasonable steps to ensure that their company properly managed the foreseeable risks to the company from a cyber incident. What is foreseeable will be framed by a wide examination of the general circumstances in which the company operates and the general and specific obligations on the directors.

One relevant consideration will be the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, which recommends that a company’s risk management framework deals with the ‘emerging risk’ of cybersecurity and is reviewed at least annually so that it is appropriate and has proper regard for risks. Recent cases, such as ASIC v RI Advice Group [2022] FCA 496, recognise that cybersecurity risks can be materially addressed through adequate cybersecurity systems, documentation and controls. They also point to an increasing willingness by judges to impose fines and order the implementation of special cyber resilience measures where appropriate.

Amidst this changing environment, the Commonwealth Government is seeking new ways to make it obvious that cybersecurity is part of a director’s responsibility. For example, it is presently considering (in its 2023-2030 Australian Cyber Security Strategy Discussion Paper) introducing specific obligations for directors to address cybersecurity risks and consequences. Further, the Australian Computer Society has suggested imposing criminal penalties on directors who knowingly and wilfully breach privacy laws. Regardless of whether either of these measures are introduced, they point to rising expectations for directors to consider cybersecurity.

The incident response plan

A central component of any organisational response to cybersecurity should be a comprehensive and accessible incident response plan that clearly sets out:

the roles and responsibilities of different persons and bodies (i.e. the incident response and crisis response teams, lawyers and advisers);
the steps and processes those persons and bodies should follow;
how impact assessments should be facilitated;
how critical business functions should be preserved;
escalation and reporting mechanisms (including to the board and external bodies such as the Office of the Australian Information Commissioner (OAIC));
general timeframes within which decisions should be made and by whom;
alternative approaches to making decisions where cyberattacks occur during inconvenient times or require quick responses;
how external service providers should be engaged with and their function in the context of the broader incident response;
how and when persons activating the incident response plan should refer to other documents such as technical process guides, asset management frameworks and business continuity plans;
communication procedures both internally and externally; and
post-incident actions.

Carving a pathway to effective communication and decision-making

Without an incident response plan to refer to, it may be tempting for directors to be reactive in the face of an actual or suspected cyber crisis either by instructing their communications teams to withhold information or to ‘spin’ the situation by publishing ‘good news’ stories. This could contravene certain obligations, for example:

a cyberattack which reduces or limits the ability for an organisation to function will have material share price implications and thus must be disclosed to the ASX under Listing Rule 3.1;
an organisation may contravene client engagement agreements or their conduct may amount to misleading or deceptive conduct where they fail to sufficiently disclose information to customers; and
an organisation must notify individuals and the OAIC Commissioner about ‘eligible data breaches’ that are likely to cause serious harm.

An incident response plan would also create mechanisms for directors to address ransomware attacks, which often require quick and measured responses, including in circumstances where convening a timely board meeting is not feasible.

Organisations face complex considerations in the face of such an attack – on the one hand, the Government advises them not to make ransom payments, and, if they are made, prosecutors may interpret them as either ‘instruments of crime’ under the Criminal Code 1995 (Cth) or in breach of other criminal law provisions. These include anti-money laundering, counterterrorism and sanctions laws, such as under the Autonomous Sanctions Act 2011 (Cth), Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) and Charter of the United Nations Act 1945 (Cth). However, the extent to which making ransomware payments could fall within the scope of these criminal law provisions is presently a legal ‘grey area’ and the courts have provided limited commentary on the application of potential defences in a ransomware context.

An organisation may also be persuaded to give weight to ethical concerns (i.e. threats to life), reputational risks, the likelihood of negotiating lower payment thresholds and other factors such as consequences of data being sold or lost. Given the complexity involved in responding to these attacks, if a threat actor seeks to extort an organisation the last thing their crisis team wants to worry about is under what circumstances they should consult the CEO or the documents they should refer to when making decisions.

Further, the ASX has said that companies can use brief trading halts pursuant to Listing Rule 17.1 to avoid false reporting and obtain information that investors need. An incident response plan would enable companies to be prepared to gather relevant documentation and thereby avoid any allegations of having avoided making timely disclosures of a material cybersecurity incident.

Consequences of a poor incident response plan

Apart from facing obvious financial and operational strains, organisations that do not have adequate incident response plans and are later subject to a data breach may find themselves at the centre of disputes or investigations, such as:

shareholder class actions (alleging breaches of continuous disclosure requirements or misleading or deceptive conduct);
court proceedings for consumer class actions (alleging the company or its officers failed to secure personal information or properly respond to security breaches) and, additionally, OAIC representative actions;
Australian Securities and Investments Commission (ASIC) and Australian Competition and Consumer Commission (ACCC)-led prosecutions;^{^[1]} and
OAIC-led investigations (the regulator recently received increased funding), including in relation to responding to serious or repeated interferences with privacy.

These now attract maximum penalties of A$2.5 million for an individual and, for a body corporate, the greater of either A$50 million, three times the value of the benefits obtained due to the contravention, or 30% of the body corporate’s adjusted turnover during the breach turnover period.

The Commonwealth Government has indicated in its Privacy Act Review Report that it will only make it easier for individuals affected by data breaches to seek recompense and is placing pressure on companies to cover the costs of compromised personal information such as identity documentation.

*******

One thing is clear: boards must ensure they are agile and prepared for cyberattacks. Effective incident response plans will be very important in guiding any organisational ship through the murky waters of evolving cyber threats and regulatory abrasiveness.

_{[1] Both ASIC and the ACCC have recently demonstrated they have the ‘teeth’ to engage with cyber issues. ASIC may, for instance, bring stepping stones actions in serious cases where a director both (a) fails to exercise the degree of care and diligence that a reasonable person would have exercised in their position, and (b) causes the organisation to contravene the law where it was reasonably foreseeable that their actions would bring harm to the interests of the organisation.}