Australian firms underprepared for rising cyber threats

Today

A new report from global law firm Herbert Smith Freehills reveals that Australian organisations are becoming more concerned with cyber risks. However, their preparations may not be proportionate to the level of threat they face. In a survey of over 160 legal leaders, 80% of respondents noted an increase in cyber threats over the past year, yet many felt that the necessary preparations are still lacking.

According to the survey, 58% of respondents believed it would take an actual cyber incident to significantly enhance their organisation's focus on data risk management. Cameron Whittfield, partner and APAC Cyber Security Head at Herbert Smith Freehills, stated, "My concern is that those businesses, and those on the front line of cyber response, are fatigued. Operating with a constant and changing threat can create uncertain priorities, from the board to the management team and through to the frontline staff."

Whittfield added, "We are continually hearing cyber 'wake-up calls' and that cyber is a business-critical consideration but managing investment decisions and assessing what 'good' looks like remains a significant challenge. Respondents to our survey told us they would like clear guidance on best practice, so that they can manage reputation risks, adequately protect their supply chains, and make sound investment decisions."

The survey also highlighted a significant concern over reputational risk, which was cited as the top cyber risk concern by respondents. This was followed by third-party risk, underinvestment in systems or infrastructure, aged data stores, and lack of cyber expertise. Carolyn Pugsley, Herbert Smith Freehills' partner and governance expert, observed, "The leaders we surveyed are very attuned to the reputational damage that can flow from a cyber incident, but not all of their businesses are investing in the right level of preparation to mitigate that risk."

Pugsley further remarked, "One of the survey findings that most surprised us was that 50% of boards had not participated in a cyber simulation. Managing reputation risk is a critical task for boards and navigating an incident response in a manner that helps protect reputation and re-establish trust is a difficult balancing act. While management will take the lead in responding to an incident, a well-prepared board will become a response enabler through sound, rapid judgement calls."

The survey also revealed that close to 60% of respondents are worried about the risk of class action following a cyber-incident in their business, with the consumer sector respondents being the most concerned. Christine Wong, partner in contentious privacy and data disputes at Herbert Smith Freehills, commented, "Cyber-incidents are followed by increasing material litigation risks that can be minimised with planning."

Wong explained, "There is a trifecta of risk, where we see potential regulator investigations, flow to prosecutions, then class actions litigation – either consumer, shareholder, or both. With 83% of survey respondents that are 'very concerned' about their data collection and retention practices also concerned about class action, the link between the source of liability and appropriate data collection and retention practices has been highlighted."

Wong added, "Litigation risk can and should be planned for, making decisions ahead of a cyber incident on how privilege applies can not only remove risk but ensure effective response. We are increasingly working with corporates who are considering litigation tactics such as injunctions in their preparations, as another tool in their cyber response arsenal."

Share on: