2022: The Year of Cyber Awareness

  • 7 Feb 2023

Introduction

2022 was a landmark year in the world of cybersecurity awareness, especially in Australia. 2022 will, for the foreseeable future, be remembered as a year that catapulted cybersecurity to the forefront of people’s minds (and the headlines), as we witnessed two of the biggest cyber attacks in Australian history, impacting millions of Australians. 
 
As we embark on a new year, we take stock of the year that was, including reviewing the major breaches, legislative changes, action taken by regulators, role of cyber insurance and the impact of these developments on companies and their directors.

The year that was

Cyber breaches are a frustrating and predictable part of modern life. The convenience of smart phones, online shopping and banking, and our increasingly digitised world comes with the inevitable risk of cyber attacks. Hardly a day goes by without news of another data breach or cyber incident whether here in Australia or abroad.

According to the Australian Cyber Security Centre, cybercrime was reported every 7 minutes in Australia in the 2021/2022 financial year.
[1] The significant cyber breaches at Optus (impacting approximately 10 million Australians) and Medibank (impacting approximately 9.7 million Australians) in 2022 moved cybersecurity to the top of the agenda for Australian individuals, businesses, company directors and the Australian government alike. As Minister for Home Affairs Clare O’Neil put it, the breaches of 2022 were a “national wake-up call”, and they took cybersecurity from a conversation that occurred in the boardroom to a conversation that is now also had at the kitchen table.[2] Much to the relief of cybersecurity experts across Australia, following these major breaches, corporate Australia and individuals alike began to treat cybersecurity with the seriousness it deserved.

Litigation & liability update

OAIC investigations

Both Optus and Medibank are being investigated by the Office of the Australian Information Commission (OAIC) following their high-profile breaches.
 
As against Optus, in October 2022, the OAIC announced that it had commenced an investigation into its handling of consumer data and whether it complied with the Australian Privacy Principles (APPs). Maurice Blackburn also made a representative complaint to the OAIC for breach of the Privacy Act 1988 (Cth) (Privacy Act). The complaint alleges that Optus breached privacy laws by failing to adequately protect the personal information of its current and former customers.
 
As against Medibank, in December 2022, the OAIC announced that it had commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach. The matters being investigated include whether Medibank took reasonable steps to protect the personal information it held and to implement systems to ensure compliance with the APPs.
 
Maurice Blackburn has also lodged a representative complaint to the OAIC against Medibank alleging that the health insurer breached privacy laws and failed to adequately protect the personal and health information of its current and former customers.
 
On 16 January 2023, Maurice Blackburn, Bannister Law and Centennial Lawyers announced that they had entered into a joint cooperation agreement to combine their pursuit of Medibank via the OAIC.
 
Slater & Gordon has also announced that it is investigating a possible class action against Optus to potentially claim compensation for persons impacted by the data breach.
 
The Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention of the Privacy Act. We will be watching very closely as these cases unfold in 2023.
 
ASIC prosecution
 
2022 also saw the first prosecution by ASIC for inadequate cybersecurity measures in the case of ASIC v RI Advice.
[3] On 5 May 2022, the Federal Court found that RI Advice, an AFSL holder, breached its AFSL license obligations to act efficiently and fairly under sections 912(1)(a) and (h) of the Corporations Act 2001 (Cth) (Corporations Act) by failing to have an adequate risk management system in place to manage cybersecurity risks.
 
In the judgment, Her Honour Justice Rofe stated, “cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
 
While the case against RI Advice did not impose a new obligation on AFSL holders regarding cybersecurity, it reinforced the need for AFSL holders to ensure that they have controls in place to ensure adequate cyber resilience and security measures.
 
Company directors could also take heed and apply the same principles to their fiduciary duties under the Corporations Act by understanding that cyber risk is a business risk that needs to be actively managed and monitored to ensure the company is resilient in the face of increasing cybercrime. Following Optus and Medibank in 2022, company directors around the country have elevated cybersecurity to the top of the boardroom agenda. This applies not only to private sector companies, but also not-for-profit and other vulnerable organisations which have also been targeted by cyber criminals.
 
While there is no indication of action by regulators or the public against the company directors of Optus or Medibank, this is not precluded from occurring in the future should directors be found to have breached their duties under the Corporations Act. APRA also made it clear that it would “intensify its supervision of all entities not meeting the Information Security Prudential Standard
CPS 234[4] following the Medibank data breach.
 
In the US in 2022, we saw Uber’s former chief security officer convicted of obstruction of justice for his role in concealing a 2016 data breach which involved the compromise of approximately 57 million personal records of drivers and passengers. This case was the first criminal conviction in the US of a senior executive for concealing a cyber incident from regulators, and a press release from the prosecution relevantly said: “… companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.”
[5] Sullivan faces imprisonment for his conviction.
 
While we have not seen anything as sinister as the Uber case in Australia, the key message is that cyber incidents can have serious ramifications and the obligation of company directors and officers in managing cyber risks and responding to incidents is paramount.  Insurers of directors and officers should also be mindful of this risk.

Latest legislative amendments

We saw some significant legislative changes emerge both prior to and after the Optus and Medibank breaches in 2022.
 
Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022
 
The high-profile cyber incidents of 2022 have driven a conversation about changes to the Privacy Act and the way that privacy and data is managed in Australia.
 
Following Optus and Medibank, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced to parliament and became law on 13 December 2022. It introduced a number of key changes, the primary one being an increase in penalties, for “serious and repeated” privacy breaches from $2.2 million to the greater of: (a) $50 million; (b) three times the value of the benefit obtained through the contravention; or (c) 30% of a company’s turnover during the period of the contravention. 
 
The swift nature in which these amendments were introduced into law was no doubt influenced by the quick succession in which the Optus and Medibank incidents occurred, and the impact they had on millions of Australians.
 
The increase in the maximum amount for penalties has brought Australia in line with global standards. In Europe and the UK, under the General Data Protection Regulation, fines can be up to €20m, or 4% of global company turnover in the previous financial year.
 
Security of Critical Infrastructure Act 2018 (Cth)
 
The cybersecurity of critical infrastructure is paramount, for obvious reasons. Australians rely on critical infrastructure daily, be it electricity, water, food or healthcare. We know from incidents occurring overseas and also in Australia that an attack on critical infrastructure can be devastating. 
 
We saw a tranche of reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) in late 2021 and throughout 2022 which expanded the SOCI Act so that it became applicable to 11 sectors (rather than 4), including financial services and markets, food and grocery and health care, and 22 asset classes. 
 
We also saw the introduction of positive security obligations on entities covered by the SOCI Act, including:
  1. Register: All sectors covered by the SOCI Act are required, on an ongoing basis, to provide certain information about their operations and interest and controls to the Secretary, to be included on the Register of critical infrastructure assets. While this obligation existed prior to the reforms, it is now applicable to a broader range of sectors.
  2. Mandatory reporting: Cyber security incidents are to be reported to the Australian Cyber Security Centre within 12 hours if having a “significant” impact on the asset or within 72 hours if having a “relevant” impact on the asset.
  3. Risk management program: This program, intended to “uplift core security practices that relate to the management of critical infrastructure assets”,[6] requires responsible entities to identify and minimise or eliminate “material risks” that could have a “relevant impact” on the asset. The draft rules and guidance (which identified ‘material risks’ as cyber and information security hazards, personnel hazards, supply chain hazards and physical/nature hazards),  were open for consultation with industry in October 2022 and another consultation is scheduled for March 2023.

Privacy and Personal Information Protection Act 1998
 
On 28 November 2022 the Privacy & Personal Information Protection Amendment Bill 2022 passed, which introduced amendments to the Privacy and Personal Information Protection Act 1998 (NSW).  
 
These amendments introduced certain obligations on public sector agencies in NSW, including:
  1. immediate notification to the Commissioner of eligible data breaches that affect public sector agencies;
  2. mandatory notification to each affected individual where an eligible data breach has occurred;
  3. obligation to keep on the public sector agency’s website for 12 months, a register of eligible data breach notifications;
  4. obligation to establish and maintain an internal register of eligible data breaches;
  5. increased powers for the Commissioner, including to investigate and report on those data breaches and to ensure notifications are made by affected agencies; and
  6. obligation to prepare and publish a data breach policy and make this policy publicly available.
These amendments will come into effect 12 months following assent, on 28 November 2023, providing public sector organisations with a grace period in which to prepare systems to ensure compliance with the amended legislation. More information about these legislative amendments can be found in this Hicksons article.

Insurance

It is no secret that cyber insurance has been a hot topic of discussion for a number of years, and certainly over the last 12 months. Cyber insurance remains a key mechanism not only for ensuring organisations have relevant cybersecurity measures in place, but also for risk transfer. It is one of the many tools organisations can use to manage their cyber risk.
 
But what happens when company directors are the target of litigation following cyber incidents, for alleged shortcomings when managing the company’s cyber risk? Should directors’ and officers’ insurance policies cover claims arising from cyber incidents? Or should claims arising from cyber incidents be excluded from D&O policies? These are some of the issues facing the industry. As the risk grows some D&O policies may exclude claims arising from cyber incidents. This is something for company directors to consider when obtaining D&O insurance.

Another important issue when it comes to insurance for cyber risk is considering what cover your organisation requires, and whether the specific policy wording provides the cyber risk cover needed. As we saw in the case of Inchcape v Chubb,
[7] where the policy is not a standalone cyber policy (the policy in question was a Financial Institutions Electronic and Computer Crime Policy), there may not be cover for the consequential losses following a cyber incident such as the costs of incident response. It is therefore critical for organisations to ensure that they obtain a policy with adequate cover and appropriate cover for cyber risk.

Key takeaways

While organisations and individuals can certainly reduce their risk of exposure to cyber attacks, it is widely acknowledged that reducing one’s cyber risk to zero is near impossible. In those circumstances, what did we learn in 2022 from these major cyber incidents? Some key takeaways include:
  1. Amendments to legislation have led to increased penalties for data breaches and mandatory reporting of cyber breaches for critical infrastructure and NSW public sector agencies.​​
  2. Incident response following a cyber-attack is pivotal. The initial response of the organisation’s directors and executives, communications to affected individuals and steps taken in the incident response process are of paramount significance and should be executed swiftly and in compliance with legal obligations.
  3. Cyber insurance is a key part of an organisation’s risk management plan and an option for risk transfer, but it is only one aspect of cyber risk management. Company directors need to use a wide lens and consider all aspects of the business when assessing and managing their organisation’s cyber resilience. 
  4. Cyber risk is a business risk. If company directors are not treating cybersecurity as a key agenda item, particularly in times of geopolitical instability and increased cybercrime, then there is a serious risk of liability for those directors should there be a cyber incident impacting their organisation.
  5. In order for Australia to become cyber resilient as a nation, it is necessary for company directors, executives, government, insurers, consumers, cybersecurity and cyber risk experts and all relevant stakeholders to work together towards a common goal: cybersecurity and resilience. 

Should you have any queries regarding cyber risk or cyber insurance, please contact Hicksons’ Partner, Persia Navidi at [email protected].
 
This article was authored by Hicksons’ Partner,
Persia Navidi, and Solicitor, Daniel Coppel.


[1] Australian Cyber Security Centre Annual Cyber Threat Report, July 2021-June 2022
[2] Clare O’Neil, address at the Home Affairs Summit, 16 November 2022
[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496
[4] APRA’s interim response to Medibank cyber breach, 28 November 2022
[6] Cyber and Infrastructure Security Centre, Risk Management Program, August 2022
[7] Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883

Most Popular Articles

Blog

When can the unqualified be qualified? Non-lawyers engaging in legal practice - when is it OK and when is the law broken

Only lawyers can provide legal advice, but anyone can provide legal information. When thinking of the difference, you might ask your friend or colleague to provide information about a serious illness; however you would seek out a qualified medical professional in relation to its treatment.
Blog

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.
Blog

Thanks, but no thanks – I don’t want to inherit

It seems odd that anybody would reject an inheritance, but for some beneficiaries, there are valid reasons they do not wish to receive their inheritance.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.

Top