FORTIFY PROTECT - MinterEllison
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
PLAN
PROTECT
FORTIFY
Perspectives on
Cyber Risk 2022
In the face of heightened geopolitical
Paul Kallenbach conflict, intense regulatory focus and
Partner a reliance on technology as never
Technology and Data before, organisations are facing a
unique, perilous and escalating cyber
risk landscape.”
Foreword Welcome to MinterEllison’s seventh
annual Perspectives on Cyber
continued to increase. This, in turn, has
brought with it increased cyber security
of significant amendments to Australia’s
Security of Critical Infrastructure (SOCI)
Risk report. risks and challenges. legislation in 2021.
The state of In addition, following Russia’s invasion of However, shortly after Russia’s invasion,
In light of recent global events, a concerted
cyber risk focus on cyber risk and cyber resilience
is more pressing than ever for Australian
Ukraine, it was widely reported that Russia
employed offensive cyber capabilities early
Australia’s Cyber and Infrastructure
Security Centre (CISC) issued a warning
in 2022 in the war. Reports indicate that Russia has to Australian organisations to urgently
organisations.
continued in its attempts to disrupt not only adopt an enhanced cyber security posture
Ukrainian networks and systems, but also to address the increased threat of cyber
With the COVID-19 pandemic now
those of countries that have criticised or attacks. Remarkably, CISC recommended
entering its third year, and countries
sanctioned it. that Australian organisations should
and communities adjusting to the ‘new
begin voluntarily complying with the risk
normal’ of hybrid work, education and
Even before the onset of hostilities, cyber management program obligations in the
leisure, our reliance on information and
security had been a keen area focus for the second tranche of the SOCI legislation,
communications technology (ICT) has
Australian Government, with the passage even before that tranche had become law.
MinterEllison | Perspectives on Cyber Risk 2022
Foreword
Subsequently, in the March 2022 Federal Survey findings – combined with our
Budget, the Australian Government interview insights from Chief Information
allocated A$9.9 billion over 10 years Security Officers, Chief Technology Officers
to the Australian Signals Directorate and Chief Digital Officers across a range of
(ASD) to deliver a Resilience, Effects, sectors – paint a telling picture of escalating
Defence, Space, Intelligence, Cyber and cyber risk.
Enablers package. This is the largest ever
investment in Australia’s intelligence and We also share an interview with Abigail
cyber capabilities. Bradshaw CSC, Head of the Australian
Cyber Security Centre (ACSC), about
Within this context, there remains much Australia’s cyber security landscape now
for organisations to address in managing and in the future.
cyber risk – and it’s dominating Board and
management agendas. In addition, we explore recent
developments in ransomware, consider the
In this year’s report, we surveyed executive, evolving regulatory landscape (including
legal and IT personnel across almost all the new SOCI laws), and provide insights
sectors of the Australian economy to from industry leaders on how businesses
understand the impact cyber risk is having are managing cyber risk in an increasingly
on their organisations – and what steps fraught geopolitical context.
they’re taking to mitigate the risk.
There remains much for organisations to
address in managing cyber risk – and it’s
dominating Board and management agendas.”
MinterEllison | Perspectives on Cyber Risk 2022
Contents
00 Foreword: The state of cyber 14 Industry spotlight
risk in 2022
16 Spotlight on SOCI
01 Key takeaways
03 Developments during the last 18 Spotlight on ransomware
12 months
22 Practical steps for Australian
07 Survey findings organisations
08 Research insights and trends 24 How we can help
11 A conversation with
Abigail Bradshaw CSC
MinterEllison | Perspectives on Cyber Risk 2022
Key takeaways
With ransomware Board awareness and
1 attacks more prevalent,
2 education is a primary
the cyber risk landscape is concern as the risks escalate
ever more threatening and the stakes become higher
Our survey findings indicate an overwhelming majority 56% of respondents told us that cyber security risk ranks
(90%) of individuals have personally received an obvious high (in the top five) on their organisation’s corporate risk
phishing email or ransomware security threat in the last register. Increased regulation (including the new SOCI laws)
12 months. impose onerous new obligations on organisations across
many sectors of the economy.
2020-21 saw a 15% increase in ransomware-related
cybercrime compared to the previous financial year, as Within that context, Board members are increasingly
reported in the Australian Cyber Security Centre’s Annual exposed – both legally and reputationally – if they are
Report. In 2020-21, the ACSC responded to nearly 160 not making informed and proactive decisions to manage
cyber security incidents related to ransomware. cyber risk.
Many organisations we interviewed told us they had While the focus on cyber education may have waned
received additional budget to mitigate a ransomware attack during the peak of the pandemic, the current geopolitical
– though few had developed a ransomware playbook to circumstances – together with the ever-increasing volume
follow should one occur. and sophistication of ransomware and other cyber attacks,
and the impact of recent regulatory change – mean there
Governments around the world are responding. The is a renewed and urgent focus on cyber education for
Australian Government released its Ransomware Action Plan Boards and executives, as well as staff at all levels across
in October 2021, which sets out its intention to introduce organisations.
ransomware-specific laws.
The risks are higher and the impacts increasingly severe –
and organisations need to act accordingly.
MinterEllison | Perspectives on Cyber Risk 2022 01
Key takeaways
Australian Cyber insurance is
3 organisations are
4 becoming increasingly
finding it difficult to fill difficult to obtain – and is
specialist cyber security not a panacea
roles
Cyber attacks, including those with ransom demands, are
Many organisations said that finding qualified and increasingly likely, as well as increasingly costly to insurers.
experienced IT security personnel continues to be a
And Abigail Bradshaw, Head of the ACSC, told us that cyber
significant challenge. This is exacerbated by the ‘great
incidents are often under-reported.
resignation’ and global resourcing issues, but the
problem predates those.
In our one-on-one interviews, technology and information
security leaders told us that cyber insurance is becoming
Organisations with large volumes of data said they felt
increasingly more expensive and its coverage more limited
particularly exposed by gaps in their resources.
– both in terms of the extent of policy exclusions, and the
The outcome is evident in organisations’ actions. According lower available limits.
to our survey, less than 50% of respondents said they have
More generally, leaders recognise that cyber insurance
taken steps to assess their cyber security maturity against an
is not (and has never been) a panacea for cyber risk, and
established framework.
that they must continue to take proactive steps to uplift
Despite the resourcing gap, organisations need to urgently their cyber resilience. They do this by continuing to invest
adopt appropriate cyber assurance strategies to ensure that in appropriate detection technologies; by improving their
they are adequately protected. cyber-related policies and processes; by educating and
training their Boards, executives and staff on cyber risk; and
by mitigating supply chain risk by ensuring that their key
suppliers are doing all of these things.
Moreover, if these steps are not taken, it is likely to become
more difficult (and expensive) to obtain cyber insurance –
or it may even become a risk that cannot be insured against
at all.
MinterEllison | Perspectives on Cyber Risk 2022 02
Developments during the last 12 months
Significant data breaches in Australia and around the world South Australian public servants was was contained in a spreadsheet that
stolen. The attack was orchestrated remained publicly accessible on the ACT
Data breaches increasingly occur as a result of malicious and criminal attacks. by Russia-based hacking group Conti, Government’s tender website for more
However, human error continues to play a significant part in these attacks, with which employs ransomware to encrypt than three years.
malicious actors often gaining access to systems by exploiting human mistakes a victim’s data before attempting to sell
n In December 2021, cryptocurrency
and vulnerabilities. them the decryption key. To date, Conti’s
exchange BitMart suffered a large-scale
haul of ransomware payments is thought
The number of ransomware attacks has n In June 2021, LinkedIn announced that security breach in which cybercriminals
to exceed US$32 million.
increased significantly – by more than 105% the information of over 700 million withdrew over US$150 million in
globally over the past 12 months. (See page users had been posted for sale on the n In November 2021, GoDaddy announced cryptocurrency assets from the platform.
18 for a further discussion of the state of dark web, affecting 92% of LinkedIn it had been victim to a data breach in BitMart blamed the attack on a stolen
ransomware in 2022.) users, including Australian account which hackers stole information relating privacy key.
holders. Interestingly, much of the to more than 1.2 million of its users. The
These latest examples illustrate the scale information scraped by the unknown hackers used a compromised password
and cost of the threat that organisations actors from LinkedIn was publicly to access GoDaddy’s core systems.
are facing. available information. n Australian recruitment company Finite
n In September 2021, US retailer Neiman was hit by a ransomware attack in
n In May 2021, more than 5 billion records
Marcus announced that it had become December 2021, in which sensitive
held by cyber security analytics firm
aware of a data breach that occurred recruitment details from many Australian
Cognyte were exposed. This included
in May 2020, whereby an ‘unauthorised businesses were exfiltrated. This included
names, email addresses and passwords.
party’ accessed names, addresses, credit information concerning personal details
Ironically, the information related to
card information and gift card numbers. of job applicants and staff from many
user details sourced from previous
The intrusion was only detected in large Australian organisations, including
data breaches, including details from
September 2021. The breach included Westpac, Coles, Adairs, AMP, NBN Co
Myspace, Canva, Zoosk and Tumblr
the exposure and potential theft of and various government departments.
data breaches.
the personal information of 4.6 million The attack has been attributed to the
n In June 2021, global car manufacturer customers including over 3.1 million Conti group.
Volkswagen reported a data breach payment cards. n In an unfortunate case of human
in which customer data – including
n In November 2021, payroll software error, the ACT Government was
full names, licence numbers, email
provider Frontier Software fell victim found to have published sensitive
addresses, mailing addresses and phone
to a ransomware attack in which the health information from nearly 30,000
numbers – was exposed online for over
personal information of over 80,000 workers’ compensation claims. The data
18 months.
MinterEllison | Perspectives on Cyber Risk 2022 03
Recent developments
Regulatory developments SOCI laws The First Amending Act also introduces n if ‘turned on’ for particular assets,
new obligations empowering the Australian entities responsible for critical
The Security Legislation Amendment
Cyber security has been a consistent Government to issue information gathering infrastructure assets must adopt and
(Critical Infrastructure) Act 2021 (First
area of focus for the Australian and other directions. In addition, if ‘switched maintain a critical infrastructure Risk
Amending Act) came into force in
Government during the last 12 months. on’ for a particular sector by Ministerial Management Program;
December 2021. The First Amending Act
We’ve seen significant legislative Rules, the new obligations:
amends the scope of the Security of Critical n the introduction of a new sub-class
change introduced, intended to of protected assets, called Systems of
Infrastructure Act 2018 (Cth) (SOCI Act), n mandate cyber security incident
address increased cyber threats. National Significance (SoNS). The Second
which underpins a framework for managing reporting; and
risks relating to critical infrastructure. The Amending Act sets out the process by
Organisations face a number of First Amending Act extends the obligations n require certain entities to maintain a which the Minister can declare a critical
new hurdles as the cyber security under the SOCI Act to a broader range of register of critical infrastructure assets infrastructure asset to be a SoNS, and
regulatory landscape becomes sectors, now 11 in total compared to the containing specified information. prescribes enhanced cyber security
increasingly complex. original four: obligations for SoNS; and
The Minister for Home Affairs enacted
these Rules on 6 April 2022. The Rules n making certain ancillary amendments
n communications
include a three-month transition period and insertions to the SOCI Act, such as
n data and storage or processing for the incident reporting obligations, and amending certain definitions relating
a six-month transition period for the asset to critical infrastructure assets specific
n financial services and markets
register obligations. to each critical sector, and introducing
n water and sewerage information sharing provisions for
n energy On 31 March 2022, the Australian regulated entities.
Government passed the Security Legislation
n healthcare and medical Amendment (Critical Infrastructure Refer to page 16 for further information
Protection) Bill 2022 (Second Amending about the new SOCI laws.
n higher education and research
Act). The Second Amending Act introduces
n food and grocery
the following into the SOCI Act:
n transport
n space technology
n defence industry.
MinterEllison | Perspectives on Cyber Risk 2022 04
Recent developments
Ransomware-specific laws ASIC Market Integrity Rules Draft Privacy Act amendments Other proposed enforcement mechanisms
include new powers conferred on the
In response to the ever-growing threat of In March 2022, the Australian Securities and The exposure draft of the Privacy Legislation
Office of the Australian Information
ransomware, the Minister for Home Affairs Investments Commission (ASIC) introduced Amendment (Enhancing Online Privacy and
Commissioner (OAIC) to issue
released the Ransomware Action Plan, the ASIC Market Integrity Rules (Securities Other Measures) Bill 2021 (Online Privacy
enforcement notices.
followed by a Bill that would implement Markets and Futures Markets) Amendment Bill) was released in October 2021. The
key aspects of the Plan. Refer to page Instrument 2022/74. These new Rules will Bill proposes to introduce a new binding Concurrently, the Commonwealth
20 for a discussion of the Plan and other commence on 10 March 2023, and will: online privacy code for social media and Attorney-General released the next round
ransomware-related developments in 2022. certain other online platforms. It would also of consultation on the broader Privacy
n impose additional obligations on increase the penalties and enforcement Act review, through its Discussion Paper.
market participants and operators in powers applicable under the Privacy Act This Paper (which follows an earlier Issues
relation to technology and operational 1988 (Cth) (Privacy Act). For example, the Paper) sought submissions on the broader
resilience; and draft legislation proposes to increase the proposed amendments to the Privacy
n reinforce ASIC’s broader regulatory maximum civil penalty for a serious and/ Act, as recommended by the Australian
focus on deterring inadequate systems or repeated interference with privacy to Competition and Consumer Commission
and uplifting operational governance 2,400 penalty units for an individual (which in its Digital Platforms Inquiry Final Report.
and controls. currently equates to A$532,800), or for a The Discussion Paper, among other things,
body corporate an amount not exceeding sought feedback on the effectiveness of the
Some of the organisations that will be the greater of: Notifiable Data Breach Scheme under Part
subject to the new Rules are already
IIIC of the Privacy Act.
required to comply with Australian n A$10 million; or
Prudential Regulation Authority (APRA) The consultation periods for the Online
n three times the value of a benefit
Prudential Standard CPS 234 Information Privacy Bill and Discussion Paper have
obtained by the body corporate from the
Security. However, the Rules will now closed, and we await the Australian
conduct that was a serious or repeated
nevertheless impose a further layer of Government’s response.
interference with privacy; or
information security and operational
resilience obligations on these and other n 10% of domestic annual turnover, if a
organisations. value attributable to the interference
cannot be determined.
MinterEllison | Perspectives on Cyber Risk 2022 05
Recent developments
Trends in regulatory enforcement The OAIC initially filed proceedings against Biometrics information cannot be reissued or
Facebook in March 2020, alleging that cancelled and may also be replicated
The OAIC continues to pursue Facebook As biometric technology continues
the platform committed serious and/ and used for identity theft. Individuals
in Federal Court proceedings and has to develop and its use becomes more
or repeated interferences with privacy featured in the database may also be at risk
issued a robust warning to organisations widespread, we have seen the OAIC
in connection with the Cambridge of misidentification.”
that seek to rely on biometrics to exploit pay particular attention to the adoption
Analytica scandal.
personal information. of this technology and its impact on The OAIC has therefore put organisations
Facebook has since filed an application for Australians’ privacy. on notice that they should carefully
Facebook, Inc. special leave to the High Court, so this initial consider whether the use of biometrics is
In the past 12 months, the OAIC has issued
question is not yet fully litigated. necessary for their functions and activities,
In February this year, the Full Bench of the determinations regarding the collection
and should ensure that any such use meets
Federal Court rejected Facebook, Inc.’s of sensitive biometric information
The case is particularly significant the expectations of Australians for the
appeal to set aside an earlier ruling granting by organisations.
because it is the first penalty proceeding protection of their personal information.
the OAIC leave to serve legal documents on
under the Privacy Act that will consider
the US-based entity. Most notably, in November 2021, the OAIC
whether an organisation’s actions, in Additionally, the OAIC issued a
issued a determination that Clearview
this case Facebook’s, amounted to a determination that the Australian Federal
The earlier ruling found that the OAIC AI had breached the Privacy Act by
serious and/or repeated interference with Police (AFP) failed to comply with its
had established a prima facie case that scraping biometric information from the
Australians’ privacy. privacy obligations in its use of the
Facebook, Inc. was carrying on business in internet and disclosing it through its facial
Clearview AI platform. Among other things,
Australia, on the basis that it was collecting recognition tool.
Commissioner Falk found that the AFP did
and holding personal information in
not have appropriate systems in place to
Australia at the relevant time, and was Clearview AI’s facial recognition tool
identify and track the use of technology
therefore subject to the requirements of the scrapes social media platforms and other
involving personal information handling,
Privacy Act. publicly available websites to obtain facial
and failed to complete a privacy impact
images. The tool allows the user to upload
assessment before using the platform.
an image that is then cross-referenced
The AFP has been directed to engage an
against its database to assist with
independent third-party assessor to review
identification of the individual.
any residual deficiencies in its practices in
In her determination, Australian Information relation to privacy assessments.
Commissioner Angelene Falk warned
that “by its nature, this biometric identity
MinterEllison | Perspectives on Cyber Risk 2022 06Survey findings
In February 2022, we conducted our annual Cyber Risk survey. We received responses from executive, legal The survey results indicate that malicious cyber activity is
and IT personnel across almost all sectors of the Australian economy. Key insights from the results were: prevalent, with a quarter of respondent organisations being
subject to a cyber security incident that compromised their
systems or data, and 90% of respondents having personally
90%Research insights and trends
Areas of focus
In addition to our quantitative
survey, we spoke with technology
and information security leaders
across a range of industries to Increased focus on Various organisations have engaged Focus on mitigating
gain a more in-depth, qualitative 1 ransomware threats specialised third parties to manage endpoint 2 risks posed by the
understanding of the current cyber security, and have implemented enhanced
issues of focus and the measures technical controls (such as data and supply chain
The ever-increasing risk of a ransomware
that they are implementing. network segmentation) in anticipation of a
attack is a key focus for IT security A number of industry leaders focused
Together, this research identified ransomware attack.
personnel, and organisations are on the supply chain as a key risk for their
seven key trends: implementing a range of technical,
Interestingly, almost all organisations organisation.
personnel and policy measures to mitigate
told us that they had not yet developed a
the risk of ransomware attacks and prepare They said that they are addressing this
specific ransomware policy or playbook
for an attack should it occur. Although risk by implementing additional technical
to address (for example) escalations and
90% of our surveyed respondents reported and organisational controls (including
decision-making authorities; the legal
receiving an obvious phishing email in the by more carefully vetting their suppliers
and reputational factors to be considered
last 12 months, only one of the industry and including additional rights in their
when making a ransomware payment;
leaders we spoke with told us that their contracts); and by exercising current
and employee, customer and regulator
organisation had suffered a ransomware contractual audit rights, for example, by
communications strategies should a
attack in previous 12 months. issuing IT security-based questionnaires to
ransomware attack occur.
their key suppliers.
However, all of the organisations we spoke
with recognised that ransomware threats
pose a significant risk to their organisation.
Some organisations said that they have
received additional budget to support their
efforts in mitigating this threat.
MinterEllison | Perspectives on Cyber Risk 2022 08Research insights and trends
Concern regarding
56%Research insights and trends
Lessons from industry leaders in 5. Focus on mitigating supply chain risk, including by
implementing appropriate technical and organisation
managing cyber risk controls
1. Develop ransomware-specific safeguards and 6. Benchmark the organisation’s cyber security
policies practices against external standards and frameworks
– including by reviewing the organisation’s approach
2. Conduct regular tests of cyber incident response
to the identification of critical assets; patching;
plans and update those plans as necessary
application whitelisting; adoption of multifactor
3. Conduct regular and tailored cyber attack authentication; implementation of network and data
simulation exercises segmentation; and reviewing and improving backup
4. Conduct tailored cyber security education strategies
programs for the Board and executives, as well as for 7. Join industry groups and networks to keep up to
employees across the organisation date with current cyber threats and trends
MinterEllison | Perspectives on Cyber Risk 2022 10A conversation with Abigail Bradshaw CSC
Head of the Australian Cyber Security Centre
Describe the ACSC’s and individuals. When cyber incidents are education, health, communications,
Q role in assisting reported, the ACSC can support victims and electricity, water and transport. In 2021,
In early 2022, we asked the Head leverage the unique experience built over a ransomware attack affected one
of the ACSC about Australia’s cyber organisations who have 75 years by the ASD, including a capacity of Melbourne’s larger metropolitan
risk landscape – the trends, the suffered a cyber attack, and to strike back. The ACSC can also refer public health services. An effective
challenges and the ACSC’s advice. the advantages of notifying incidents to law enforcement or other and coordinated incident response
This is what she had to say. investigating agencies where appropriate. minimised disruption.
the ACSC of an attack.
In December last year, the ACSC alerted
The ACSC, which sits within the ASD, Has the ACSC
leads the Australian Government’s efforts Q identified any trends in Australians to the significant Apache Log4j
vulnerability. We saw malicious actors
to improve cyber security. Our role is to
help make Australia the most secure place cyber attacks over the last hunting for vulnerabilities to exploit. We
wasted no time in providing advice on our
to connect online. We provide technical 12 months? If so, please
website. If unaddressed, the vulnerability
advice and assistance, including remediation describe them. could allow cybercriminals to break into
advice, and raise advisories and alerts to
an organisation’s systems, steal login
warn other organisations, business sectors Our Annual Cyber Threat Report
credentials, extract sensitive data and infect
or the entire nation if necessary. Reporting 2020-21 identified a number of trends in
networks with malicious software.
cyber incidents is vital to develop a national the threat environment. There was a 15%
threat picture, alert other potential victims increase in ransomware-related cybercrime
Australia also remains a regular target of
and provide Australians with the best cyber reported via the ACSC’s ReportCyber tool
state-sponsored actors who rapidly exploit
security advice. in FY 2020-21, compared to the previous
vulnerabilities, including weaknesses in
financial year. The ACSC also responded to
software supply chains. State-sponsored
Research indicates that cyber incidents are nearly 160 cyber security incidents related
threat actors employ a wide range of tactics
often under-reported. Not reporting cyber to ransomware.
to target Australian networks, seeking
incidents can hamper an organisation’s
sensitive information that could be used to
efforts to respond or recover from a cyber Our data shows one-quarter of ACSC-
weaken Australia’s competitive advantage
incident. It also diminishes the value of any recorded cyber incidents in FY 2020-21
and degrade national security.
threat intelligence that the ACSC might affected Australia’s critical infrastructure,
use to help other Australian businesses including essential services such as
MinterEllison | Perspectives on Cyber Risk 2022 11A conversation with Abigail Bradshaw CSC
Head of the Australian Cyber Security Centre
work arrangements. Some remote working agencies in the UK and the US, issued a and participate in workshops and cyber
solutions were hastily implemented, joint advisory after observing an increase exercises with Australia’s fast-growing cyber
leaving organisations vulnerable to cyber in sophisticated, high-impact ransomware security community.
What does the ACSC
Q perceive to have been threats because employees were using incidents. Cybercriminals were gaining
old or unpatched devices, and not using access to networks via phishing, by In August 2021, the ACSC hosted Aqua Ex,
the biggest challenges for virtual private networks (VPNs). The ACSC, using stolen Remote Desktop Protocol a major cyber exercise involving over 60
entities from Australia’s critical infrastructure
organisations in responding through its Partnership Program and credentials or brute force, and by exploiting
Joint Cyber Security Centres, can assist software vulnerabilities. community. ACSC’s pilot Critical
to cyber attacks over the Infrastructure Uplift Program (CI-UP) is also
Australian organisations navigating cyber
past 12 months? security challenges. In light of the increasing prevalence of helping critical infrastructure organisations
cyber attacks, it is critical that entities have to evaluate their cyber security maturity, and
Cyber threats and cybercrime against measures in place to respond to cyber prioritise and implement risk mitigations.
Australia continue to evolve. These threats From the ACSC’s
include an increase in sophisticated
Q interactions with security incidents, to protect not only their
The strong engagement we have had from
organisations, but also their clients and
ransomware attacks, data breaches, online
organisations following a customers. Organisations need to be asking the community and industry suggests there
fraud and business email compromise (BEC). questions of themselves and those they deal is an increasing awareness of the need to
In September 2020, an Australian hedge cyber attack over the last 12 taker cyber seriously, and when we work
with, including for example how they will
fund was subject to BEC. This involved false months, how does the ACSC respond to an incident, whether they have a together we can make positive changes to
invoices with the company transferring A$8.7 perceive organisations’ regular patching program and whether they Australia’s cyber ecosystem.
million to bank accounts controlled by the
preparedness to respond to have a practised cyber incident response
offenders. The business was forced to go
into receivership and the attack resulted
cyber attacks? Has this plan in place. Large organisations also need
to contemplate vulnerabilities that arise
in bankruptcy. This was likely Australia’s changed over the last within their supply chains.
first bankruptcy case as a direct result few years? Preparing to respond to a cyber
of cybercrime. There has been a big surge in the number attack starts with leadership and
In FY 2020-21, many of the compromises of Australians joining the ACSC Partnership the right culture.”
We’re also seeing the effects of the experienced by Australian organisations Program, which has over 2,100 Network
COVID-19 pandemic, including in the way could have been mitigated by taking Partners, over 3,300 Business Partners
organisations have shifted many processes simple steps to protect systems. The and over 78,000 Home Partners. Partners
and services online, and moved to remote ACSC, in partnership with cyber security can share threat intelligence and tips,
MinterEllison | Perspectives on Cyber Risk 2022 12A conversation with Abigail Bradshaw CSC
Head of the Australian Cyber Security Centre
What is the ACSC’s Investing in preventative cyber security To protect Australians and combat this 3. Testing backups regularly. Much like
Q advice to guard against measures is more cost-effective than global threat, the Australian Government organisations run fire drills, backups
the comparative costs incurred when launched the Ransomware Action Plan, should be tested and include a
ransomware attacks? attempting to recover from a ransomware which builds on Australia’s Cyber Security full restoration.
incident. Update devices and turn on Strategy 2020.
Ransomware is one of the most significant Implementing the ASD’s Essential Eight
cyber threats currently facing Australians automatic updates, use multifactor
Maturity Model is the best approach to
and Australian organisations. It is a global authentication, maintain current backups What is your advice to
threat. When it comes to defending (preferably stored offline), protect systems Q organisations on how in-depth defence. Based on the ACSC’s
experience in producing cyber threat
against ransomware, it is imperative that with strong passphrases and access
best to prepare for intelligence, conducting penetration testing
organisations raise the defences early or controls, and have an incident response and assisting organisations, the Essential
face the consequences. We have published plan. We do not recommend paying ransom
responding to cyber attacks? Eight is proven to help organisations
the Ransomware Attack Prevention and demands, as it does not guarantee a victim’s minimise cyber risk.
Preparing to respond to a cyber attack
Protection Guide on cyber.gov.au, to files will be restored. Nor does it prevent
starts with leadership and the right culture.
teach all Australians how to mitigate the publication of any stolen data, or stop it Cyber.gov.au is a one-stop shop for guides
Effectively preparing for a cyber incident
ransomware threats. and advice, and is the gateway to the ACSC’s
being sold for use in other crimes. requires the full involvement of the
Partnership Program. The ACSC urges all
organisation, from the board to the public
Australian individuals and organisations to
relations team and frontline workers. The
report cybercrime and cyber incidents to
best prepared organisations have robust
ReportCyber, contactable 24/7 via email
disaster recovery plans that consider three
asd.assist@defence.gov.au or by calling the
key elements:
Australian Cyber Security Hotline on 1300
CYBER1 (1300 292 371).
1. Operational contingencies, should some
or all of your systems go offline. How will
you manage operations like logistics or
public communication?
2. Exercising incident response plans with
the whole executive and key functions of
your organisation.
MinterEllison | Perspectives on Cyber Risk 2022 13Industry spotlight
Energy and Financial Higher
Resources Services education
SOCI laws CPS 234 Tripartite Reviews ASIC Market Integrity Rules SOCI laws
The energy and resources industry Regulated entities may be required to These new Rules will commence on 10 The higher education industry is a
is a critical infrastructure sector. The engage third-party auditors to undertake a March 2023, and will: critical infrastructure sector. The
Australian Government has ‘switched on’ CPS 234 compliance audit, with the results Australian Government has ‘switched
the incident reporting and asset register to be reported to the organisation’s Board n impose additional obligations on market on’ the incident reporting obligations
obligations, and proposes to ‘switch on’ and to APRA. participants and operators in relation to for this sector.
risk management obligations for this technology and operational resilience;
sector. and
Changes in cyber insurance Continued threat of foreign
n reinforce ASIC’s broader regulatory focus interference
Given the significant rise in cyber attacks
Australian Energy Sector Cyber on deterring inadequate systems and
and insurance payouts, cyber insurers are The report on the parliamentary inquiry
Security Framework (AESCSF) uplifting operational governance and
reviewing policies to increase premiums, into national security risks affecting
extended to liquid fuels sector controls.
and are also narrowing coverage (by the Australian higher education and
The AESCSF is a program developed by expanding policy exclusions and lowering research sector was published in
the Department of Industry, Science, available limits). March 2022. The Australian Security
Energy and Resources in partnership with Intelligence Organisation considers
the sector a key target for foreign
the Australian Energy Market Operator SOCI laws Government
to assess cyber security maturity in the interference. The report recommends
energy sector and to complement SOCI The financial services and markets industry further security measures be
law reform. The AESCSF originally covered is a critical infrastructure sector. The Key target for state-sponsored implemented – including training,
electricity and gas markets, but will be Australian Government has ‘switched attacks additional processes and government
extended to include the liquid fuels sector. on’ the incident reporting obligations for assistance – to address this threat.
Government infrastructure is at particular
this sector, as well as the asset register
risk of state-sponsored cyber attacks in
obligations for some impacted assets.
light of the current situation in Ukraine.
The Australian Government also proposes
to ‘switch on’ the the risk management
program obligations for some impacted
assets in this sector.
MinterEllison | Perspectives on Cyber Risk 2022 14Industry spotlight
Infrastructure Health Insurance
SOCI laws This flow varies over the lifecycle of a Key target for malicious attacks The Insurance Council of Australia (ICA)
build and into subsequent operation released its Cyber Insurance: Protecting
Transport is the largest component of Health service providers are a key target
and it is critical that this data is managed our way of life, in a digital world discussion
the infrastructure sector. The Australian for malicious attacks. From January to
accordingly. paper on 28 March 2022, which sets
Government has ‘switched on’ the June 2021, the OAIC received the most
out the insurance implications of cyber
incident reporting and asset register data breach notifications from this sector,
End users need to have incidents on Australian businesses and
obligations for transport assets. Related of any sector, arising from malicious
recommendations for a sustainable cyber
laws were introduced to Parliament confidence in the management attacks.
insurance market.
under the Transport Security Amendment of personal data
(Critical Infrastructure) Bill 2022, which
Great infrastructure provides end users SOCI laws According to the ICA, cyber insurance
lapsed when Parliament was prorogued
with a seamless and efficient experience. awareness is low within the Australian
ahead of the election. The healthcare industry is a critical
Many assets are increasingly reliant of the business economy, and the combination
infrastructure sector. The Australian
gathering and application of personal data of a small premium pool and increasing
Government has ‘switched on’ the
Delivery phase and the transition sets to influence operational efficiency. sophistication and maliciousness of some
incident reporting and asset register
into operation End users have to be comfortable with
obligations, and proposes to ‘switch on’
cyber attacks has put significant pressure on
the trade-off i.e. that data is collected insurers as well as businesses.
Many organisations in this sector rely the risk management program obligations
for the purpose at hand without being
on operational technology to monitor for impacted assets in this sector.
exploited for other commercial or non- The ICA recommends that policyholders
and control physical processes or work closely with insurers to ensure they
commercial uses.
devices. These devices create significant understand the extent of cyber coverage,
efficiencies for the sector but also expose and has recommended (among other
the sector to a growing risk of cyber things) that the Australian Government
attacks affecting critical infrastructure develop a single cyber security framework
assets. With Building Information to help drive best practice in cyber security
Modelling likely to be used on every major across the Australian economy.
project there are increasing volumes
of very useful and detailed information
shared.
MinterEllison | Perspectives on Cyber Risk 2022 15Spotlight on SOCI
Overview of SOCI laws
Government Register of critical Mandatory cyber Risk management Enhanced security
assistance measures infrastructure assets incident reporting programs measures
Following an incident, Reporting entities must report Incident with significant impact Responsible entities required Asset is declared a System of
government is empowered to details about entity and asset to on availability of assets – report to to adopt and maintain a Risk National Significance and notified.
issue information gathering and CISC ACSC with 12 hours Management Program Could be:
provision of support directions
n Prepare incident response plan
Reporting required at time of Incident with relevant impact on Annual compliance certification n Undertake cyber security
To be used as a measure of registration and must be kept availability of assets – report to to CISC exercises
last resort updated ACSC with 72 hours
n Undertake vulnerability
assessments
n Provide systems information
Applies to all sectors Laws passed Laws passed, awaiting rules
These requirements have been ‘turned on’ for some assets through Risk Management Program law passed.
Ministerial Rules that took effect on 8 April 2022 with: Awaiting Ministerial Rules to ‘turn on’ the Risk Management
3 month transition for incident reporting obligations Program obligations for some assets, but government has
6 month transition for asset register obligations recommended implementing now.
MinterEllison | Perspectives on Cyber Risk 2022 16Spotlight on SOCI
Overview of SOCI laws
Government Register of critical Mandatory cyber Risk management Enhanced security
assistance measures infrastructure assets incident reporting programs measures
^ * *
TBC
Unknown at this stage
* ^ ^
Currently proposed
for after 1 Jan 2023:
Legend: * Payment systems only | ^ Critical hospitals only
Energy Financial Higher Freight
Space (Electricity Healthcare Water and Services and Food and Education Data storage infrastructure
Technology and Gas) Communications Transport and Medical Sewerage Markets Grocery and Research Defence or Processing and services Liquid fuel
MinterEllison | Perspectives on Cyber Risk 2022 17Spotlight on ransomware
At a glance
623.3m US $20b
Nearly The number of ransomware attacks The estimated combined cost of
globally in 2021 ransomware attacks globally in 2021
20 per
second
(Source: SonicWall 2022 Cyber Threat Report) (Source: Cybersecurity Ventures)
Number of attempted ransomware
attacks globally in 2021
(Source: SonicWall 2022 Cyber Threat Report)
105%
The percentage increase
in ransomware attacks globally
in 2021 compared with 2020
(Source: SonicWall 2022 Cyber Threat Report)
Manufacturing, financial services,
transportation, technology and
15% US $6m legal services
The most targeted industries globally from
January to June 2021
The percentage increase in ransomware Estimated average ransomware demand
(Source: Ransomware attack statistics 2021
reports by Australian organisations in FY 20-21 levied against US companies in 2021 - Growth & Analysis | Cognyte)
compared with the previous financial year (Source: Mimecast)
(Source: Australian Cyber Security Centre)
MinterEllison | Perspectives on Cyber Risk 2022 18Spotlight on ransomware
Trends in ransomware Ransomware-as-a-Service (RaaS) is The use of open-source software exploitation by malicious actors, which
expected to increase (OSS) presents an ongoing risk could result in attempted ransomware
for exploitation by ransomware attacks in the future.
Continued risk of attacks on RaaS involves operators leasing out or
Australian organisations offering subscriptions to their malware criminals
creations to others (known as ‘affiliates’) OSS is commonly leveraged by both in-
Ransomware will continue to
Consistent with global trends, the ACSC impact cyber insurance
for a fee – such as a monthly subscription house and external developers across the
has continued to observe cybercriminals
fee or a percentage of successful extortion globe. As a consequence of its widespread Organisations’ ever-increasing reliance on
successfully using ransomware to disrupt
payments. The increasing prevalence of use, OSS presents a particular risk of ICT and the associated rise in ransomware
business operations and cause reputational
ransomware attacks may be attributed to, exploitation by ransomware criminals. attacks is continuing to shape the cyber
harm to Australian organisations.
at least in part, the increased accessibility insurance landscape. In the past, cyber
Increasingly, however, attackers are not
afforded by this model. RaaS operators such In December 2021, malicious code (referred insurance was often purchased as an
only demanding payment to enable the
as DarkSide (responsible for an attack on to as Log4Shell) was discovered in Log4j – add-on to other standard commercial
organisation to regain access to its data, but
the Colonial Pipeline in Texas in May 2021) an ubiquitous OSS JavaScript library used insurances. However, as ransomware
also carrying out secondary extortions by
and REvil (behind the attack on JBS Foods by numerous cloud-based services – which attacks have increased, so have cyber
threatening to release on the dark web.
in May 2021 – see below) offer RaaS to allowed hackers to remotely access and reinsurance rates, by up to 40% in FY 2020-
affiliates through the dark web and Twitter. take control of affected systems. 21.
The US Federal Bureau of Investigation (FBI) On 8 March 2022, the maintainer of Notably, while many cyber insurance
issued its first alert about a ransomware node-ipc, an OSS JavaScript library that is policies offered in Australia continue to
‘affiliate’ in August 2021. In February downloaded approximately a million times provide coverage for the payment of
2022, the FBI released a further alert, a week, released an update containing ransoms, insurers are reassessing this
warning organisations that BlackByte, a ‘protestware’. The effect of the update position. In addition, insurers are limiting
Raas provider, has begun targeting critical was that if the IP address of the user was coverage in a portfolio if a business isn’t
infrastructure sectors. geocoded as Russian or Belarussian, the able to demonstrate having appropriate
software overwrote any data encountered cyber security measures in place. Ultimately,
in the user’s filesystem with heart symbols. cyber insurance is just one tool within a
The action was intended as a protest broader arsenal that organisations should
against Russia’s invasion of Ukraine. employ to mitigate against the impact of
ransomware attacks.
While these incidents did not result in
ransomware attacks, they demonstrate
the vulnerabilities of OSS and the risk of
MinterEllison | Perspectives on Cyber Risk 2022 19Spotlight on ransomware
Ransomware regulatory While the Bill has since been withdrawn, The ripple effects of a
on 17 February 2022, the Australian
developments Government introduced the Crimes
ransomware attack: JBS Foods
Legislation Amendment (Ransomware
The ransomware attack on JBS Foods last year
Local developments Action Plan) Bill 2022 into Parliament.
highlights the havoc that a ransomware attack
The Australian Government has The Bill aims to implement some of the
can wreak on an organisation.
acknowledged the growing threat that key aspects of the Ransomware Action
ransomware poses to Australian businesses, Plan. In addition to the reforms outlined JBS Foods is global food processing company.
individuals and infrastructure. In October above, the Bill introduces a standalone It has 47 facilities across Australia and operates
2021, the Minister for Home Affairs released offence of dealing with data obtained by the largest network of product facilities and
the Government’s Ransomware Action unauthorised access or modification, and feedlots in the country. On 30 May 2021, JBS
Plan. The Plan sets out the Government’s an aggravated offence for buyers and sellers Foods suffered a ransomware attack that
intention to introduce ransomware-specific of ransomware to deter the development of debilitated the company’s operations in both
legislative reforms, including: RaaS markets. Australia and the US.
n the imposition of specific mandatory Notably, the Bill does not introduce The attack led to a five-day shutdown of the
ransomware incident reporting; mandatory ransomware incident reporting company’s Australian meat supply chain,
requirements or any new offences expressly the cancellation of livestock shipments
n the introduction of a standalone offence criminalising the payment of a ransom. The and temporary lay-offs at some of the
for all forms of cyber extortion; and Bill lapsed when Parliament was prorogued. company’s worksites. It has been reported
n the introduction of a standalone offence that JBS Foods subsequently paid a ransom
for cybercriminals seeking to target International developments amount in excess of A$14 million.
critical infrastructure assets (as defined in
Australia recommitted to the Five Eyes While the financial impact on JBS Foods
SOCI law).
group in April 2021. Five Eyes consists was significant, the consequential effects on
The Plan came after the Federal Opposition of representatives from Australia, New the community were also considerable. In
introduced the Ransomware Payments Bill Zealand, Canada, the United States and the Australia, JBS Foods’ casual workers reportedly
2021 to Parliament in August 2021, which United Kingdom. Acknowledging the global lost more than a week’s worth of work and
proposed to make it mandatory for large nature of the challenge, Five Eyes works pay. In the US, rival meat producers reportedly
business and government entities to notify collaboratively by sharing information, raised beef wholesale prices as a result of the
the ACSC if they made a ransomware practices and policies to combat common reduced supply caused by the absence of JBS
payment. cyber security challenges arising from the Foods in the market.
threat of ransomware.
MinterEllison | Perspectives on Cyber Risk 2022 20Spotlight on ransomware
Legal implications of paying ransomware and other cyber attacks – without paying the ransom. Such
particularly in circumstances where the evidence may include communications
a ransom malicious actor cannot be identified. with the malicious threat actors,
providing evidence of exfiltrated data,
n There is currently no express prohibition n Australian organisations and individuals
and threats to release data or take
under any Commonwealth, state who pay ransom amounts may be
other adverse action should the ransom
or territory law that prohibits an considered to have committed a criminal
demand not be paid.
organisation from paying a ransom offence by breaching Commonwealth
amount in connection with a legislation that governs international n Victims of ransomware attacks should
ransomware incident. However, the sanctions regimes or criminalises the also consider their cyber insurance, and
Australian Government’s clear and stated financing of terrorist organisations. in particular whether payment of ransom
position is that it does not condone is covered. For more information, see our
n Increased sanctions activity overseas
ransom payments being made to discussion on pages 15 and 19 in relation
may also be reflected in Australia’s own
cybercriminals. to recent developments in the cyber
regime. In the US, sanctions laws are
insurance market.
n There are, however, criminal offences strict and any US entity paying a ransom
that may prohibit the payment of a to a national of a listed region violates
ransom in circumstances where a the sanctions prohibition. Non-US
person is reckless or negligent as to companies may also violate US sanctions
whether or not the money will become if they cause a US person to violate the
an instrument of crime. Depending sanctions prohibitions.
on the circumstances of the incident,
n The risks of committing such offences
the defence of duress may be pleaded
may be mitigated by conducting due
against these offences.
diligence on the organisation seeking
n In New South Wales, it is an offence, the ransom payment, to confirm (to the
under the Crimes Act 1900 (NSW), extent possible) that it is not a terrorist
for a person to fail to report a serious or sanctioned organisation, or a known
indictable offence to the NSW Police criminal syndicate. Where the defence of
where that person is in possession of duress is available, the risk of committing
information that will materially assist in an offence can be further mitigated by
apprehending, prosecuting or convicting collecting contemporaneous evidence
an offender. The application of this of any imminent threat that could not
offence is uncertain in the context of reasonably be rendered ineffective
MinterEllison | Perspectives on Cyber Risk 2022 21Practical steps for Australian organisations
This section sets out key actions that Align cyber security measures Cyber incident response plans must be regularly tested
that organisations should take arising 1 with an external framework and updated to reflect this fraught and ever-changing
from this year’s research, survey and environment. Organisations should also consider
interviews. These steps should form Organisations should assess their cyber security maturity,
developing and testing a ransomware-specific playbook,
part of an organisation’s overall cyber and align it with external frameworks such as the ASD
which should include escalations (including specific timing)
resilience strategy. Essential Eight Maturity Model or the NIST Cybersecurity
and authority levels; and financial, regulatory, reputational
and other factors to be considered in determining whether
Framework.
or not to make a payment.
They should also carefully focus on mitigating supply chain
In addition, organisations are collecting, creating and
risk, by understanding what information is being held by
processing more data than ever. Boards and leaders must
third parties; by conducting appropriate due diligence on,
take concerted steps to understand the types of data their
and uplifting their contractual arrangements with, their key
organisations hold and where this data may be exposed
suppliers; and by actually exercising contractual audit rights
internally and externally across the supply chain. In doing
where appropriate.
so, the organisation will better understand genuine risk
and exposure levels, and enable the application of a more
Conduct cyber incident response
2 plan drills, regularly update plans
focused cyber risk mitigation strategy.
and ensure that they are aligned to Finally, organisations should also ensure that they are
broader risk management aligning their approach to cyber security and incident
response planning with their broader organisational
Organisations should regularly test their cyber incident approach to risk, and are integrating their cyber incident
response plans. While most organisations have developed response plans into their business resilience and crisis
tailored incident response plans, our survey indicates that management strategies.
only 59% are regularly testing and updating them.
The cyber risk landscape is changing rapidly – in light of
new and onerous regulatory requirements; geopolitical
influences; the accelerated adoption of new technologies;
the rise in organisations’ reliance on third-party suppliers;
and the increase in the volume of malicious activity and
sophistication of malicious actors.
MinterEllison | Perspectives on Cyber Risk 2022 22Practical steps organisations should take
rain and educate employees, don’t underestimate the
T Understand
3 insider threat, and continue to invest in and improve
4 compliance
security architecture obligations
Human error still plays a key part in many (if n applying best practice patching patterns; Many organisations face an ever-
not most) serious cyber incidents. increasing and more complex array of
n developing genuine capability for the
regulatory obligations – from notification
timely decommissioning of out-of-
Employees – and in some cases customers requirements under the Privacy Act and the
support products;
– require appropriate and ongoing training APRA Prudential Standards, to the new ASIC
and education to reinforce the importance n transitioning to a zero-trust model for market integrity and SOCI laws. Many of
of their roles in managing and protecting mitigating risk arising from environment these laws impose significant penalties for
data and systems, and to enable them to complexity; non-compliance.
identify and respond to cyber attacks.
n improving identity and authorisation
In addition, as discussed on page 20, the
hygiene by reducing the impact of poor
Organisations should also implement Australian Government has foreshadowed
end user decisions;
policies and processes to assist them in plans to introduce new ransomware-
quickly identifying and addressing insider n integrating and harmonising monitoring specific laws, as well as conduct an
threats. The risk and potential impact of capabilities to include behavioural outlier overhaul of Australia’s privacy laws, which
these threats should not be underestimated. detection for administrative accounts, will include a substantial increase in the
third-party vendors and end users; and penalties under the Privacy Act.
Finally, organisations must continue to
n uplifting confidence in, and the
invest in and improve their security-related Organisations need to urgently take steps to
performance of, incident recovery
technologies and processes, including, for address new regulatory obligations imposed
systems.
example, by: on them under the SOCI laws, and should
also consider pre-emptively preparing for
the likely imposition of new privacy and
cyber-related regulation – including by
identifying key data assets, and critically
reviewing and updating their privacy and
cyber-related policies, procedures and
processes.
MinterEllison | Perspectives on Cyber Risk 2022 23You can also read
