4 things that changed in cyber security in 2021, tips for 2022

Cyber security is now one of the most significant risks for organisations in Australia. The rising tide of ransomware and other attacks has been exacerbated during the pandemic with remote working and rapidly deployed systems to support changing work environments.

Cyber attacks started to impact the community more than ever before in 2021. Attacks on Channel Nine resulted in interruptions to news bulletins. UnitingCare, which provides healthcare through hospitals and aged care facilities, was hit hard by ransomware and we saw the global price of meat jump when one of the world’s largest processors, JBS, was attacked, resulting in workers being stood down and plants being closed, and caused widespread panic buying. People were stranded in long queues at petrol stations around the world when Colonial Pipeline in the United States was attacked, resulting in the flow of oil being interrupted.

With increased scrutiny on private sector capabilities from the Australian government and media attention, board directors' accountabilities were magnified, a trend that will continue into 2022. With a greater focus now on the responsibilities for cyber security sitting at the board level, here are the top four things company directors and CEOs need to know as we head into 2022:

1. We must be prepared for a significant cyber attack within Australia

The sophistication and frequency of cyber attacks is on the rise with no sign of abatement, either globally or locally, in 2022. More than half of the Australian businesses hit by ransomware attacks paid their attackers, but only a quarter of those actually recovered their data in the past 12 months. In a major attack, paying the ransom may only be a small part of the recovery cost. The effort to decrypt systems and then ensure adequate safeguards are in place to thwart a repeat attack can quickly multiply the costs.

In 2022, all company directors must fully understand the financial, regulatory and reputational consequences of a cyber attack on the organisation and management must have plans in place to identify, respond, contain and recover. The board must also clearly understand its role before, during and after an attack.

2. Changes to laws will become a reality

With the Security Legislation Amendment (Critical Infrastructure Bill) 2020, currently under review in Federal Parliament, 2022 will provide clarity about what would trigger liability for company directors and what would make the government intervene in an organisation’s cyber incident. For organisations in scope of the revised legislation and especially those coming from a low base of security maturity, prioritisation of investment and allocation of resources will be critical to achieving compliance with the new obligations.

The revisions to the act propose to hold company directors in 2022 accountable for a cyber breach. This will require boards to understand the consequences of a cyber attack, contribute to establishing a risk appetite for cyber security and prioritise funding and resourcing accordingly. The application of the bill needs to be balanced with a broader, enterprise-wide cyber security strategy with the objective to be secure, not only to achieve compliance.

In addition, the government's new Ransomware Action Plan proposes mandatory reporting by organisations with a turnover of more than $10 million. The reporting regime aims to improve understanding of the ransomware threat and enable better support to victims of ransomware attacks.

VIEW ALL

Company directors and executives can begin preparing now for this action plan to come into effect and be clear on what it means to their organisation, including the board's role in decision making and how they would be kept informed in the event of an incident. Directors will need to ensure that there is an agreed position on ransomware payments at the board level given the plan’s decisive stance on the payment of ransoms. The government’s position is that paying ransom is not condoned.

3. Being insured for a cyber event will be challenging

Boards and C-suite leaders need to be aware that not all cyber insurance policies are made equal, and organisations must ensure they completely understand what they are covered for. Exclusions and special conditions in the fine print aren’t always understood and can include ransomware co-payments or no payments, no coverage for out of support software and hardware and little to no funding to repair reputation damage.

Cyber insurance is not a preventative cyber security strategy. Organisations and their boards who believe that purchasing insurance is the only investment they need are putting their organisations at risk. Management must build the activation of their insurance into a robust, well-rehearsed incident response plan that reflects how the organisation plans to respond in a crisis. This includes testing whether the cyber event can be quickly contained through to deciding to order an enterprise-wide system shutdown.

Being prepared for a cyber incident is key. If you are in a position where you need to call on your cyber insurance policy, chances are the cyber event has taken hold of your business which could mean months of restoration and ongoing financial and reputational impacts.

4. Company directors will be held personally liable

The governance landscape is constantly evolving with new and challenging issues. The pandemic and an increase in the frequency, maturity and severity of cyber attacks are examples of the ongoing shift in the role of a company director.

Company directors cannot gain confidence in the cyber security protections of their business by undertaking a short course or by inviting an annual deep dive on cyber. Continuous learning is imperative to contend with new and challenging risks and issues. Education and development can be explored in informal and formal ways – from podcasts, articles, briefings and workshops to training and ongoing coaching.

Anna Leibel and Claire Pales are co-authors of The Secure Board book and co-founders of The Secure Board advisory service.