One of the last places you’d expect to find a corporate lawyer is a cybersecurity conference. But as the regulatory and legal landscape for businesses change the intersection between policy and technology is widening.
Robert Kerr from Addisons Lawyers may have been the odd one out in a room full of security professionals during his presentation at the 2017 AusCERT Conference but his presentation highlighted the complexity of the task in front of businesses and the importance of technical experts working with everyone to create a holistic approach to security and privacy.
Kerr said, “You’re going to see more us in this industry”.
Although a great deal of attention has been placed on new rules and laws such as the changes to the Australian Privacy Principles, metadata retention and mandatory breach notification, Kerr points out that there have been cyber-related laws in play for some time. But these have often been downplayed as boards have focussed on other matters such as culture and leadership, health and safety, and finances and accounting.
Kerr said cyber risk is emerging as a new area boards are interested in as they realise ASIC will hold personally responsible for failing in their duty of care. This means boards need to take a holistic view of people, corporate needs and systems.
This is one of the areas where boards and security professionals may clash. For many security professionals, the goal is to stop every breach from being successful. But for boards, Kerr said “The goal is preparation, not perfection”.
For boards, this means knowing about the risks and taking reasonable steps to avoid the risks.
A critical point made by Kerr was that legal compliance did not equate to robust security, although the two should become better aligned over time. But also having strong security did not mean you were operating in compliance with the law.
Within Australia, there are several bodies that contribute to the regulatory landscape. Kerr identified seven different agencies ranging from the Department of Prime Minister and Cabinet, CERT Australia, the Attorney General’s department and the Department of Defence. Over time, Kerr said he expected some consolidation of functions reducing the number of agencies involved.
The new mandatory breach notification laws that come into effect next year were singled out by Kerr as an area where businesses might be impacted. However, he noted that any ASX listed company was already subject to some disclosure regulations.
ASX Listing Rule 3.1 says companies are obligated to disclose any information that a reasonable person would expect to have a material impact on the value of a company. Unlike the new breach notification laws, that are focussed on the release of personally identifiable information, the ASX’s remit is much broader.
So, listed companies need to already have steps in place to protect data and communicate potential issues.
Ransomware was another area Kerr focussed on. Under the Crimes Acts of the states and territories, the payment of a ransom is considered “aiding and abetting” a crime. That means paying a ransomware attacker to release encrypted data is illegal. However, Kerr noted that the law hadn’t been tested in this regard and he believed there would be a reticence for law enforcement to pursue such a case.
So, what advice did Kerr have for businesses?
Kerr also noted many businesses did not have a complete view of what data they held and its value. Conducting a thorough audit was a crucial first step in identifying what needed to be protected and what was at risk.
Cybersecurity is an emerging area of interest for boards. As such, they are looking for standards that can assist them with fulfilling their obligations for preparation.
Kerr noted that ASIC encourages the use of the NIST (https://www.nist.gov/) standard from the US. They also advocate using CREST approved tech firms when choosing vendors and taking into the ASD’s Essential Eight recommendations.
The goal, he says is to be prepared as perfect resilience is unlikely to be achievable.