Recent publications released by two Australian government authorities have highlighted the growing cyber threat to Australian businesses and the regulatory response to that threat.
In this article we look at the recent Australian Cyber Security Centre Threat Report 2015, which provides a helpful overview of the current cyber threat landscape. We also consider ASIC’s Corporate Plan 2015-16 to 2018-19 and what Australia’s corporate regulator has to say about the role it has to play in enforcing cyber risk management.
The Australian Cyber Security Centre Threat Report 2015
The Australian Cyber Security Centre (ACSC) was established in November 2014, bringing together cyber security capability from different government bodies into one hub aimed at combating serious cyber security threats.
Less than one year into its operation, on 29 July 2015 the ACSC issued its first unclassified threat report, describing the cyber threat to Australian organisations as being “undeniable, unrelenting and continuing to grow“. See the full report here .
The report provides a succinct and helpful overview of the current threat landscape facing Australia.
Cyber adversaries and their activities
The report outlines the three types of “cyber adversary” motivated to target Australian networks:
- Foreign state-sponsored employees, including nation-states, seeking economic, foreign policy, defence and security information for strategic advantage;
- Serious and organised criminals who are financially motivated to exploit and access for financial gain; and
- Issue motivated “hactivists” and individuals causing a nuisance while attempting to draw attention to their causes.
The report then provides an overview, and specific case studies as examples, of the main type of activities targeting Australian networks. These include the following:
- Cyber intrusions – the gaining of access to a computer or device without the owner’s permission. A trend that the ACSC particularly notes is the use of “spear phishing”, or socially engineered emails, where a carefully crafted message entices the user to click on a link by appearing to be from a business with whom that user deals with regularly;
- Watering-hole techniques – a watering-hole is a legitimate and trusted website that, unbeknownst to the owner of the website, is compromised by a cyber adversary in order to target frequent visitors to that site. Not only does this impact the visitors who may, for example, end up being the recipients of malware, but it also has an obvious impact on the owner of the website whose site may end up being blacklisted resulting in a drop in revenue;
- Malware – malicious software which facilitates unauthorised access to a system, continues to be the predominant cybercrime threat in Australia, with new malware types being regularly developed and released and antivirus software not being able to detect all new variants;
- Ransomware – also known as cyber extortion, this is where malware is used to lock a computer’s content and the cyber adversary requires the victim to pay a ransom to regain access; and
- Distributed denial of service (DDoS) – this is when a collection of multiple infected computers, controlled by a cyber adversary, are used to consume the amount of available bandwidth or processing capacity of an online service and so prevent legitimate access to that service. A growing trend is for extortion attempts against organisations where the cyber adversary demands payment of a fee under threat of a DDoS attack.
The impact on Australian businesses
With Australian businesses the subject of increasing incidence of cyber attacks, the impact and cost can be significant. Some of the impacts identified by the ACSC in the report include:
- Theft of intellectual property or commercially sensitive information, which can impair reputation, profitability and competitiveness, limit business opportunities and undermine the very viability of the company’s business;
- Various costs arising from cybercrime such as financial losses from fraud, costs of immediate responses and system remediation costs;
- Business interruption consequences, such as the example given of various Pizza Hut outlets that were unable to serve customers for up to two hours and, in some cases, an entire day, while computers were re-imaged as a result of a malware compromise affecting Point of Sale systems;
- As to ransomware incidents, the cost of the ransom itself is often modest (e.g. the TorrentLocker variant of ransomware identified in February 2014 saw ransom amounts ranging from A$500 to A$600) but the true cost is often for the subsequent system repairs; and
- There is also reputational impact to businesses whose identity and brands are misappropriated as part of social engineering techniques designed to trick customers. Significant costs, as well as time, are then incurred in informing customers about such scams and improving security. The ASCS reports on one prominent Australian corporate victim whose brand was exploited by TorrentLocker and then had to spend A$185,000 in monitoring, takedown actions against malicious domains and brand protection.
The ACSC concludes that “Australia must remain vigilant, proactive and resourced to meet the challenges of a complex cyber environment”.
ASIC’s regulatory response to cyber risk
In March this year, the Australian Securities and Investments Commission released its Cyber Resilience Report. The corporate regulator suggested that cyber resilience was not just a matter of good practice but also a matter of compliance with specific legal obligations and signalled an increasing interest in exercising its regulatory scrutiny in relation to cyber risk management (see our article here) .
Strategic priorities in corporate plan
ASIC has now, in August this year, released its Corporate Plan 2015-16 to 2018-19, highlighting cyber resilience as one of ASIC’s key strategic priorities for the next three years. The plan can be found here . ASIC’s approach was also reiterated in a speech given on 24 September 2015 by ASIC Commissioner John Price (see here) in which the Commissioner indicated that cyber resilience was one of the critical issues that keeps him awake at night.
ASIC’s plans to respond to the increasing threat of cyber attacks are dealt with under the heading “Digital disruption” given that ASIC sees the increased risk of cyber attacks as something that sits against the backdrop of ever increasing technological change.
Consistent with ASIC’s role of protecting investors and regulating markets, it sees the “increasing incidence, complexity and reach of cyber attacks” as a matter that can “undermine businesses and destabilise our markets, eroding investor and financial consumer trust and confidence in the financial system and the wider economy“.
ASIC says its focus in relation to cyber risks will be on:
- Promoting cyber resilience;
- Identifying potential cyber attacks in our markets through real-time market monitoring; and
- Ensuring compliance with licensing obligations, including the need for adequate technological resources and risk management arrangements, and disclosure obligations.
As to how it intends to promote cyber resilience, ASIC says it will:
- Improve awareness of cyber resilience, and increase the profile of the issues;
- Incorporate cyber resilience in its surveillance, particularly for those ASIC regulates that provide critical services such as financial market infrastructure;
- Coordinate and engage with other Government departments to identify cyber risks and build cyber resilience; and
- Continue to monitor market developments.
Potential use of enforcement powers
ASIC goes so far as to say it will respond to cyber threats through enforcement action, accepting enforceable undertakings or issuing infringement notices where ASIC identifies wrongdoing, for example, “deal[ing] with cases where companies and issuers disclosure provides insufficient information on cyber threats“.
Perhaps a foretaste of ASIC’s potential use of its enforcement powers is a recent regulatory action by the Securities and Exchange Commission in the United States against an investment advisory firm for poor cyber security practices. Coincidentally occurring only weeks after the release of ASIC’s Corporate Plan, the SEC settled charges against the adviser for breaching a federal securities laws which required registered investment advisers to adopt written policies and procedures to protect customer records and information, the SEC alleging no such policies or procedures were adopted. The firm’s web server suffered a hacking incident in July 2013, leaving the personal information of more than 100,000 individuals vulnerable to theft. The firm ultimately agreed to a penalty of $75,000 notwithstanding the fact that no clients had yet given any indication of suffering financial harm.
In Australia, the closest parallel obligation to that relied on by the SEC is probably Australian Privacy Principle 11 in the Privacy Act 1988 (Cth) which requires entities to take reasonable steps to protect the security of personal information. The Privacy Act is enforced by the Office of the Australian Information Commissioner, not by ASIC. Nevertheless, the SEC’s action is an early example of a securities and corporate regulator using the powers it has available to it to enforce cyber risk management, a step that ASIC has signalled it may well take going forward.
Against the backdrop of the threats highlighted by the ACSC’s recent Threat Report, ASIC, as Australia’s corporate regulator, is now increasingly speaking of cyber risk management as a matter of legal obligation. This way of looking at cyber risk began with ASIC’s Cyber Resilience Report earlier in the year. It has now, in ASIC’s recently released Corporate Plan, been allocated a front row seat in ASIC’s strategic priorities for the next three years.
Moreover, ASIC has flagged the possibility of exercising its regulatory enforcement powers in instances where it identifies relevant wrongdoing, including in relation to inadequate disclosure of cyber threats.
Accordingly, businesses need to be vigilant when it comes to managing their cyber risk, not only to protect their business but also to ensure they are complying with their legal obligations and to avoid potential regulatory action.
This article was written by Andrew Miers, Partner.