Four cyber risk management strategies that should be in your playbook

Author: Erin Weaver

In light of recent data breaches at Medibank and Optus, it is now a top priority for big business to implement effective cyber risk management plans into everyday operations.

Financial services remain a heavily targeted industry for cyber security breaches, behind only healthcare.

Source: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-january-june-2022

Needless to say, failure to properly address and plan for the risks posed by cyber-attacks can lead to huge fallouts – financially and with regards to brand damage.  

Recently, ASFA NSW legislation discussion group chair (and Mayflower CEO Sarah Penn) invited Valeska Bloch and Simun Soljo from Allens Linklaters to bring their expertise and recent findings to the discussion group on cyber risk management.

Valeska Bloch is a partner at Allens as well as a leading technology, data and cybersecurity practitioner with particular expertise in highly regulated critical infrastructure and data-intensive sectors, including financial services, energy, healthcare, infrastructure, retail and government. 

Valeska introduced the discussion by touching on the various challenges faced by organisations who are now tasked with addressing their own internal response and crisis management approach to cyber risk. Some of these challenges include:

  • Vast amount of existing regulation                                                                                      

  • Growing number of regulators that are now looking more closely at cyber risk management (including APRA, ASIC, ACC) as well as increasing government attention

  • Continuing high number of incidents

Without question, developing or overhauling a cyber risk management plan is a considerable task, involving several moving parts.

However, it is a necessary one.

Valeska explained that keeping these four areas at the forefront of the cyber risk management discussion within your organisation will be key to guiding the process.

1.     Data retention and deletion

It may seem obvious – if the data isn’t there in the first place, it can’t be stolen.

However, as we all know, the reality is different.  The collection and retention of customer data is an essential operational component of most business, certainly in financial services. This customer service/marketing thinking, combined with how cheap storage is, has often led to an approach of ‘well we might need it one day and getting rid of it is low priority, so we’ll just hang on to all the data we collect’.

Not surprisingly now though, Valeska explained that her firm is now seeing organisations accelerating their de-identifying and deletion of data.

In addition, the regulatory goal posts are shifting quickly, and organisations are increasingly going to have to answer as to the why’s and how’s of data retention to regulatory bodies.

Don’t know where to start? We like this guide:

How to design and implement a data retention and destruction program in 6 steps (allens.com.au).

2.     Governance

The clear message from regulators is that responsibility for information security and data governance falls to the board and senior management. Financial penalties and regulatory action will be a very real consequence for these individuals in the event of a cyber incident in the near future.

No surprise then that the resounding advice is that cyber risk management be placed on the standing agenda for company boards across all industries.

Valeska suggests that the following questions be asked, and regularly:

  • Have we identified all potential threats/risks, knowing that we don’t limit ourselves to internal operations?

  • Are there processes in place for identification, notification and escalation of a cyber incident?

  • Who are the important personnel and what are their responsibilities in the event of an incident?

  • Do we have formal reporting and whistle-blowing processes?

  • Do we have access to the right experts in legal, cyber and tech?

  • What is the potential damage of an attack and is our ability to respond and recover from such an attack adequate?

3.     Incident Preparation

‘Prepare for the worst, expect the best’ is very aptly applied here.

Keeping risk at the forefront ensures we are ready should the incident happen today, tomorrow or (hopefully!) never. Being adequately prepared means the whole response process works on muscle memory, with minimal decision making needed in the heat of the moment. 

The key questions above that you should already be asking regularly will serve as a guide in determining and implement a fit-for-purpose incident response plan.

 Best tips on Planning for an Attack

Any action plan should involve specific tasks and specific people, it should be examined and refreshed regularly and be accessible to all relevant parties in the organisation.

Acquire all the relevant advice from the appropriate experts in government, legal or tech – for instance, the question of whether to pay a ransom or not is not easily answered and making any decisions on this without appropriate counsel could get your organisation into significant trouble.

Cyber-attack simulations – these should be dynamic and allow for many people in the organisation to participate. Acquire that muscle memory!

4.     Transparency

AS important as what you DO is what you SAY about it.

As regulators increasingly focus on governance, they are equally homing in on how companies disclose any relevant information around cyber security with penalties applied to any breaches.

How to Get In Hot Water:

  • Claiming established security measures publicly (websites, newsletters, etc) that can’t be verified.

  • Failing to notify regulators of a breach in cybersecurity immediately.

  • Disclosing information that turns out later to be not true, even if unintentional.

How to Stay out of Hot Water:

  • Transparency – being clear in what we know now, what we don’t know and things that we are assuming at this time and having a clear delineation between them.

  • In the early stages of an incident, it’s most often the case that the organisation knows very little about how and the level they have been affected. Often it even takes the cyber and tech experts several days to determine the level of damage. It’s better to say ‘we don’t know now’ rather than proclaiming something that later turns out not to be true.

Despite best efforts in planning and preparation, it’s likely that your company may still be a victim of a cyber breach, as hackers remain just that step ahead.  If there was ever a window where these attacks could have been prevented outright, it’s no longer open. Companies must adapt to this new landscape and prepare for these incidents or be held accountable.