Australian organisations face a perilous, rapidly evolving cyber threat landscape. While legal risks see lawyers on the front-line of defence, 38 per cent of lawyers surveyed have not participated in a cyber crisis simulation and only 19 per cent have a legal-specific incident response plan. There is an increasing concern that this represents a gap in preparedness.
These are the findings from a new report from global law firm Herbert Smith Freehills ─ Cyber Ready? Australian Businesses Rise to the Challenge ─ which explores the impact of cyber incidents and the changing role of lawyers. The report, released today, analyses a landmark survey of over 120 legal leaders from Australian businesses, including more than 80 General Counsel.
Scanning commentary of the cyber threat landscape, Herbert Smith Freehills’ partner Cameron Whittfield, APAC Head of Cyber Security, said that as businesses build their cyber resilience, “Australia’s relative wealth and commitment to digitisation makes it a target for the next wave of cyber threat actors”.
Whittfield explains, “Although the views of boards and CIOs have been shared widely, our survey results reflect the views of legal leaders who have a clear line of sight across the organisation, including the board.
“In-house legal leaders are attuned to managing risk and are often front-and-centre in any cyber crisis. They are a sound bellwether for risk.
“Australian businesses and their boards have never been under more scrutiny about their cyber resilience, as they respond to cyber security threats, compounded when many are responding to a dynamic and shifting business and regulatory environment”.
Empowering legal teams
The report explains that for lawyers to effectively respond to cyber-attacks, they need to be empowered and activated to manage digital risks – they need to be part of the preparatory work and be prepared for the myriad of legal issues that will unfold at pace.
“Many companies are preparing for attacks in ways that do not actually reflect the way the attack plays out,” Whittfield adds.
“The legal and regulatory risks are significant and acute. In our experience, the lawyers are front and centre when a cyber crisis unfolds. In fact, they often play a breach coach role, coordinating the response.
The survey respondents report on the balance of responsibility and incident response, and show a fundamental shift, with the incident response moving from IT professionals to lawyers, who are experienced in managing risk and crisis response.
Whittfield explains, “In the first 24 hours, you don’t want to be educating key internal stakeholders or building the plan as you execute it. Significant benefits come from clearly defined roles. Increasingly, as lawyers take up the role of ‘breach coach’, they are coordinating the response.
“Positively, 58% of respondents have someone in their legal team specifically tasked with cyber and data issues. I am sure this is a material change from how legal teams used to be made up”.
Pressure on boards
The report reflects on the role of regulators, who have sent directors a clear message on cyber resilience as threats increase. Survey respondents noted that their boards are bolstering cyber defences with three quarters of respondents saying their boards have been educated about cyber risks in the last twelve months, and one third with cyber expertise on the board.
“Expertise for the board is less about who sits on the board, than the information they are getting and the processes they are following. Boards need to understand the risk and the company’s security posture, and based on this they can set the company’s risk appetite. Understanding the answer to a question is as important as the question itself,” Whittfield said.
“Boards have the most impact in the preparation phases. Effective preparation enables an organisation to fulfil its legal obligations, limit regulatory and litigation risks, as well as to protect individuals and shield a company from reputational damage.
“We were somewhat surprised that many boards were still to run a cyber crisis simulation. Respondents confirmed that almost one-third had not held one, and a further 25 per cent of respondents were unable to confirm one way or the other.
“This shows two things, the first being that boards have some work to do here. But we also appear to have a disconnect between actual cyber-attacks where the lawyers are often front and centre, and the preparation for these where the simulations are not being done or the lawyers are not involved”.
The survey shows that many boards are yet to form a view as to whether they would be open to paying an extortion demand, and two thirds of the respondents are unaware of their board’s position on extortion payment. We know that companies will be faced with this decision, so it remains important for them to assess the threshold question of whether they would be “open” to payment.
Reducing the attack surface
The report emphasises that one of the best ways to manage the risk of a data breach is to limit the attack surface.
“We must ask ourselves what data are we collecting, why are we collecting it, and when we are finished with it, why are we still holding it”, Whittfield said.
“42% of respondents remain concerned about their company’s data retention practices, indicating that we still have work to do in this regard. It’s a very challenging area, with companies looking to revisit and address legacy data collection practices.
“This is a matter for legislators too. Many companies are constrained by outdated data retention obligations which do not reflect practices of the modern digital economy.”
The survey was conducted between from 2 June to 3 August 2023. The survey was anonymous and promoted widely to leaders of in-house legal teams in Australia.