APRA has released its first, cross-industry prudential standard on information security for consultation, designed to tackle cyber security incidents by setting minimum standards.
In recent times there has been a marked shift in perception of cyber-security events. Organisations who are subject to a breach are no longer being seen as a “victim” of a hacking crime, but delinquent actors who did not take proper steps to secure their assets.
Cyber security is not just an IT issue, but one which must be centrally managed and governed by organisations and their boards.
In an increasingly inter-connected world, businesses are collecting, using and exploiting vast amounts of data. New uses for data are imagined or implemented on a daily basis. IT systems are becoming more distributed, and data is stored and processed both in-house and externally in a range of environments, on-shore, offshore and in the cloud.
Cyber security and privacy breaches are potentially front-page events, which affect not only legal obligations, but also an organisation’s brand, reputation and (potentially) share price. Businesses have to navigate a myriad of legislative and contractual obligations which govern their handling and use of data, collected about increasingly sophisticated and privacy-aware consumers, and with increasing scrutiny by regulators.
Gilbert + Tobin's cyber security work covers the life-cycle of cyber security risk.
How we’ve helped our clients
We have more than a decade of experience in conducting and managing the investigation of online data breaches and computer hacking in a range of industry sectors including retailing, financial services, entertainment and ICT. Much of our investigating and enforcement work is confidential for obvious reasons. Examples of our recent experience includes:
- Investigation of code hacking of entertainment products giving unauthorised access and control over remote computer systems, including gathering and analysis of forensic information, preparation and execution of a strategy to confront the suspect, and securing a result to minimise further unauthorised and hacking behaviour. The suspect was subsequently turned into an informant.
- Investigation of international hacking ring via a major participant in Australia, including analysis of data locating suspect, preparation and execution of a plan for direct contact, management and resolution of the claim to achieve result, and capturing of data as evidence concerning remote assets used by accomplices.
- Assisting a large Australian corporate to respond to a major security incident by its IT outsourcer, including analysis of contractual obligations and legal claims, and negotiation and documentation of monetary and non-monetary settlements.
- Working with a major electronics manufacturer to identify a computer network hacker, and liaising with the state police force and arranging surveillance on the suspect.
- Investigating the use of Trojan and tunnelling software by a rival trader to extract critical information through unauthorised access to our client’s computer system, including filing of legal proceedings to retrieve disclosure of information by way of preliminary discovery and resolution of unauthorised access claim.
- Working with IT forensic investigators and lawyers in the US and Austria to identify a syndicate responsible for developing tools that were designed to circumvent copy control software. Using Australian court processes to obtain orders in the Federal Court of Australia to obtain the contact details of the people using those IP addresses and for the purposes of executing search orders at their homes.
How we can help you
Planning for and dealing with cyber security breaches requires a multi-disciplinary team with deep technology and data protection expertise:
- Privacy and data: our privacy and data team understands that privacy compliance does not start and end with the preparation of a privacy or cyber security policy, but that an organisation’s handling of personal information and sensitive data must reflect privacy and security-by-design.
- Regulatory: our regulatory and corporate teams are accustomed to dealing with regulators that have an interest in, and may need to be notified in relation to, cybersecurity issues, including the OAIC, ASIC and APRA.
- Litigation: our litigation group includes a dedicated team of over 25 lawyers who focus on protecting data and commercially sensitive information. Over the last decade we have run some of the country’s most high profile disputes in relation to IP and commercially sensitive information, and routinely work with IT forensic providers to investigate and respond to cyber security breaches.
- Technology: we have one of the largest dedicated technology legal teams in Australia. Our team understands technology and risk, and work with our clients to focus on key issues in a complex and fast-moving technology landscape.
We believe that cyber-security needs to break the mould of being thought of as just an issue for the IT team. It fundamentally requires a multi-disciplinary team. Internally within your organisation, cyber-security needs to involve IT, legal, risk, regulatory, PR and customer-facing operations. Externally, cyber-security may need to involve external lawyers, forensic teams and PR advisers.
Organisations need to have a plan on how they will respond to cyber security incidents. The last thing an organisation wants to be doing in the face of a serious cyber-security incident is develop its approach and policy on the fly, distracting from the task of dealing with the incident and creating confusion about who needs to be involved and who is empowered to make decisions that may affect your organisation’s reputation. APRA and ASIC-regulated entities are likely to already be under an obligation to have such plans in place as part of their required risk-management obligations.
Useful insights can be gained on how to deal with, or how not to deal with, cyber security incidents, by examining the experience of others. Some useful resources: