Australia: Cyber security: Risk management
Clayton Utz Insights

Key Points:

As with all risk management, there is no one-size-fits-all approach, but some basic steps will help you build a robust, nimble and practical cyber barricade.

It has been said that the only safe computer is one that is not connected to the internet. While the internet has become core to the conduct of modern business it also poses a major threat to business. Cyber attacks can range from simple denial of service attacks (as happened in Estonia recently where several websites were blacked out) to sophisticated data thefts across a broad spectrum of interests. Recently US businesses such as Target, Nieman Marcus Stores and Michael's Arts and Crafts, have suffered major data breaches. Such breaches can include scraping information from customer credit cards, or in the case of Target the gaining of access to over 110 million confidential customer records. At another level cyber attacks can be used to destabilize an economy — as evident in the current Ukraine conflict.

As a business entity you need to manage these cyber security risks and your lawyers need to understand such risks, their cause and be able to advise on appropriate risk management. If cyber security is not well managed, an organisation risks business disruption, theft of business secrets or customers, fraud and the resultant damage to the bottom line.

If self-interest were not enough of an incentive, there is also an increasing demand from regulators and even from parties to commercial contracts to ensure data protection.

As a legal adviser to business you need to understand where you client / business holds its and its customers information and the security arrangements that are in place to protect that information. Involvement in the business's procurement activities will necessitate addressing (in contractual documentation) supply chain risk as well as privacy, confidentially and intellectual property protections. Your role will be impacted by the nature of your organisation's business. For example, critical infrastructure providers will be looking to maintain up time. Retailers will be seeking to protect customer data, financial services organisations will be concerned about fraud as well as data protection and government will be concerned about data protection and national security.

Guidance coming from a collaboration between the public and private sectors will provide useful insight into how you will guide your client / business about implementation of effective cyber risk management strategies.

Government initiatives to improve private enterprises' cyber security

Governments and private enterprises are increasingly aware of the need to maintain information risk at an acceptable level and protect information from unauthorised modification, disclosure or attack. Similarly, they need to ensure that their services and systems are continuously available.

Given this, it's not surprising that various governments are addressing cyber security issues in collaboration with the private sector. The guidance these governments provide is useful to business wherever the business is located.

The most recent example is the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cyber Security, released in February 2014.

This Framework flows from Executive Order 13636 issued by President Obama on 12 February 2013, which established that "it is the Policy of the United States to enhance the security and resilience of the [USA's] critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties". The Executive Order also sought to identify critical infrastructure where a cyber security incident could result in catastrophic regional or national effects on public health or safety, economic security or national security, and provided for sharing of cyber threat information between the US Government and US private sector entities to assist them to address cyber security threats.

The Executive Order's main impact however was the development of a cyber security framework. This would focus on cross-sector security standards and guidelines applicable to critical infrastructure, and provide a prioritised, flexible, repeatable, performance-based and cost-effective approach to help owners and operators of critical infrastructure to identify, assess and manage cyber risk — supplementing, not replacing, their existing cyber security practices.

The new Framework adopts a risk-based approach and is composed of a Framework Core, Framework Implementation Tiers and Framework Profiles. As a living document, it is intended to evolve over time. It identifies five functions—Identify, Protect, Detect, Respond and Recover — to help executives to distil key issues in cyber security risk and map their organisation's readiness and ability to deal with cyber attacks. This may reveal that an organisation is properly addressing cyber security risks, or, alternatively, that there are gaps in its approach.

The Framework also helps in forming and prioritising cyber security decisions, and aligning policy, business and technological approaches. As such, organisations can use the Framework to identify activities that are important to them and to prioritise investment to maximise return to the organisation.

A Roadmap for Improving Critical Infrastructure Cyber Security was also released alongside the Frame- work, to align the development of the Framework and its use. A range of critical infrastructure protection plans has also been developed in the USA. These cover commercial facilities, communications, critical manufacture, dams, energy, defence industry, financial services, IT and health care etc. Such plans also assist to align the approach and reactions of government and the private sector should an attack occur.

Separately, a Council on Cyber Security was established in 2013 as an independent, expert, not for profit organisation with a global scope committed to the security of an open internet. This Council has been developing a range of Critical Security Controls, referenced in the NIST Framework.

The Council focuses at a community rather than a business level and has identified its "First Five Quick Wins":

• application whitelisting;
• patching applications;
• patch operating system vulnerability;
• reduce users with administrative privileges; and
• using standard, secure system configurations.

For an Australian enterprise, these are similar to the Australian Signals Directorate's four strategies, with the last strategy being an addition.

So what do you tell your clients?

Information security

As a lawyer advising your client your ultimate focus will be centred around the need to understand what information is held by your business and the need to protect that information. In the modern world, organisations hold information that is attractive to cyber criminals, competitors, nation states or Hacktivists (those who have a moral or political concern about activities).

Lack of information security can impact the core business of an organisation. A cyber attack can quickly lead to serious damage, including reputational damage, loss of customers, financial loss or disruption to business operations, a point recently made by Australian Securities and Investments Commission Chairman Greg Medcraft. He noted that technological advancements have taken cyber crime cost to about $110 billion annually; for Australian companies each attack costs about $2 million. For many organisations information security was traditionally treated as a technical issue. It is now generally recognised that there needs to be a systemic enterprise approach to information security. Businesses need to focus on end-to-end processes.

This requires involving a range of persons in an organisation in managing information security. This would include the legal team, IT infrastructure and procurement team, the CEO and COO and whoever else is responsible for risk management, those with information security oversight and management (such as information security managers and the CIO), those with system/security design, development and implementation responsibilities and those who test, monitor and audit information systems. As a lawyer you need to be aware of the need to consider the entire business risk spectrum in advising on cyber security issues. At a specific level, Privacy Commissioners across the globe as a protective measure are emphasising the need to rationalise the collection of personal data from customers. In particular, organisations should collect and then retain only personal information necessary for a particular purpose, and include several layers of security. This security goes beyond anti-virus software and other technical security to physical security and HR security as well.

From a business perspective, all of this needs to be done while containing the cost of IT infrastructure and security management.

Asset management

An organisation must identify weak links in its system, which, at a basic level, means understanding its assets. To manage assets properly, physical devices, software platforms and applications need to be inventoried and tracked, and organisational data flows need to be mapped. As a lawyer, you will be confirming compliance that asset registers are maintained and are kept up to date.

Crucially, supply chains need to be identified and cyber security roles and responsibilities (including sup- pliers' and customers') established. Supply chain risk management, or lack thereof, could form the weakest link in an organisation's cyber security risk management if not properly addressed. Since an organisation could have good procedures but be exposed by a supplier's failure to have similarly good procedures, suppliers must be "locked in" to similar cyber security processes. As noted above, the USA Framework provides guidance on how to do this across industry. Such issues should also be address in ICT contracts, or contracts where services rely on an underlying ICT framework.

Transactions

Many organisations engage in transactions that are of high or critical business worth, for example, procuring critical business inputs or engaging in financial transactions including mergers or acquisitions. To manage these risks, information flows about the activity need to be controlled. As a legal adviser you will invariably be involved in preparing confidential deeds. However you may also need to be involved in the organisation's strategy to protect sensitive information.

For example, special networks (outside the organisation's usual IT network) may need to be set up for use by the deal team. Data may also be encrypted (subject to legal requirements to the contrary). Where encryption and/or passwords are used, there remains a need to be careful about passwords being the weakest link. Organisations should also consider monitoring access to the special networks to identify any suspicious activity.

Cyber security governance

Underpinning all these efforts should be cyber security governance, as effective governance is the key to ensuring all the elements of cyber security operate effectively.

As a starting point, organisations must understand their business environment. This includes knowing the organisation's role in the supply chain and its place in the industry sector. Organisations need to establish compliance processes to monitor their regulatory, legal and operational requirements and risk appetite. Cyber security compliance needs to be on legal compliance check lists.

Stakeholders and their roles must be clearly defined, and provide guidance and escalation processes for addressing cyber security issues, such as a framework for stakeholders' collaboration on resolving cyber security issues.

Another key component of cyber security governance is effective reporting on cyber security issues, and proactive and continuous monitoring. In addition, if monitoring reveals a problem, the problem needs to be addressed. In contrast, ignoring issues that are flagged can lead to regulatory and data breaches and reputational loss. It has been reported in respect of US cyber attacks, for example, that some victim companies have failed to address warning signs.

Once these issues are identified, the role of information security in the organisation can be identified and relevant information security policies can be developed. Legal and regulatory requirements regarding cyber security can then be mapped, monitored and managed. The various guidance documents issued by national governments (see above) provide assistance on how to do this.

Case study

Your business holds a range of important customer data and is procuring outsourced ICT services under a long-term contract. You want to achieve a good total cost for the services. You are seeking quality services that enable you to benefit from technological improvements over time. You are interested in a mixture of managed services and cloud technology.

Apart from the traditional outsourcing legal requirements, as a lawyer you need to address cloud security and privacy issues. Ideally you will find out where the cloud storage is maintained and across which jurisdictions data will flow. Harmful code protection will also be paramount — malware and other virus attacks have become prevalent, eg see the Target cyber attack early this year. Additionally, the contract documentation should address procedures for updating software protections and dealing with disaster recovery should a successful cyber attack occur. Asset management, configuration control and supply chain logistics should also be investigated.

Your client / business needs to know where the equipment / hardware used to provide the ICT services is sourced and how ongoing support (including patch management) will be managed. Asset register obligations may be relevant depending on the nature of the services (for example, in a managed service equipment needs to be identified and tracked). Thus as a lawyer you need to think at a broad organisational level to ensure your contracts and policies address end-to-end business requirements. Then at the business level, the business needs to consider the outsourcing cost against risks and business impacts from cyber security breaches, among other things.

Conclusion

Criminality and fraud, quite apart from terrorist activity, have gone digital, along with other business disruptors, so a cyber security governance framework with relevant compliance monitoring is essential.

Organisations need to identify and assess cyber security risks in accordance with their level of risk tolerance, informed by a proper understanding of the rise of digital crime and fraud. Risk tolerance will be dependent on the nature of the organisation's business, its ability to transfer, avoid or mitigate the risk and the impact of the risk on the organisation's delivery of goods or services.

As with all risk management, there is no one-size-fits-all approach. However, the steps outlined above should assist any organisation in creating a robust, nimble and practical cyber barricade.

You might also be interested in...

• Australia in a digital age: Are you cyber secure?
• Big data and the public sector

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.