News and developments
Cyber risk and litigation: Some guidelines for directors and boards
Internationally, cyber crime is estimated to cost businesses $10.5 trillion annually by 2025 [2]. Furthermore, in addition to losses to cyber criminals and resulting losses to individuals and investors, regulators in New Zealand and abroad are increasingly taking a close interest in what regulated firms are doing to manage cybersecurity risks.
Increased cyber crime results in increased litigation. Claims are made against companies that are victims of cyberattacks that result in private and personal information of their customers and others being released. Claims are made upon insurers when losses are suffered. Remedies are sought from banks and other financial institutions that do not prevent customers’ losses resulting from cyber crime. Regulators are increasingly focusing upon the adequacy or regulated entities’ cyber protections and the steps being taken by their boards.
Recently, the personal information of 9.7 million Medibank customers was stolen and posted online after its insurer declined to pay a ransom demand. This has resulted in two class actions in the Federal Court of Australia and a proceeding on behalf of the shareholders in the Victorian Supreme Court. In New Zealand, the Latitude cyberattack in March last year exposed the personal records of 14 million customers, including a million New Zealand driver’s license numbers and 40,000 passport records. In response, the New Zealand Privacy Commissioner and the Australian Information Commissioner commenced a joint privacy investigation, a $1 million lawsuit has also been filed by one of the customers affected and registrations are open for a potential class action against Latitude.
Company boards should take note. The World Economic Forum has expressed a view that boards need stronger foundations to govern cyber risks effectively [3]. In an Institute of Directors / ASB Bank survey, just 54% of directors reported that their boards regularly discuss cyber risk and are confident that their organisations have the capacity to respond to a cyberattack or incident [4].
In this article, we provide key considerations for how directors and boards might mitigate cybersecurity risks and respond to a cyber incident if one occurs.
- Managing cyber risks
- Establish an enterprise-wide cyber risk management framework:
- Understand the legal environment:
- Identify, categorise and address the risks:
- Improve long term cyber risk management:
-
- Regular reviews and assurance: Conduct regular reviews of cybersecurity strategies and security audits to identify vulnerabilities and assess the potential impact of a cyberattack. Results should be measured against success criteria such as time to detection, speed of response and recovery process.
- Strong cultural focus and training: For most organisations, the main point of cyber weakness is human frailty. Effective cyber resilience requires a strong ‘cultural’ focus driven by the board and reflected in organisation-wide programmes for staff awareness, education and random testing of staff and third parties to assess cyber-awareness.
- Invest in cybersecurity infrastructure: Implement robust cybersecurity measures, including firewalls, encryption, intrusion detection systems, and secure backup solutions, and keep them all up to date.
- Manage third-party risks: Steps include conducting due diligence (such as obtaining independent security attestation reports and certifications), and using contract terms to improve transparency and mitigate fourth-party risk, for example, by requiring suppliers to notify the organisation if their subcontractors or vendors experience a cybersecurity event.
- Ensure a comprehensive cyber and data breach response plan is in place:
- Responding to a cyber incident
-
- investigating the cause of a cyber incident;
- informing stakeholders about a cyber incident; and
- discussing existing or new cybersecurity processes.
- Maintaining privilege when responding to a cyber incident: lessons from the Optus class action
- Final remarks