Ensuring our government agencies are protected
It is Privacy Awareness Week — a timely reminder to focus on these challenges and opportunities to deliver better safeguards and privacy outcomes, write Caroline Atkins and Nick Topfer.
Recent large-scale data breaches disrupting some of Australia’s biggest companies have shifted cyber security and the implications for safeguarding personal information into sharper focus like never before.
Privacy Awareness Week is a timely reminder about what should be front of mind for government agencies when it comes to their data governance arrangements and the protections from possible areas of vulnerability.
Of course, agency cyber teams are aware of their compliance requirements and best practices for cyber security. The Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM), along with its eight essential key areas of cyber focus, laid valuable foundations for protection.
However, there are other legal safeguards that should be considered. To start with, agencies need to properly understand how their “environment” is constructed. This includes knowing the agencies’ vendors and their subcontractors who provide the technology and cyber protections.
Part of the challenge for government agencies is that they have to rely on vendors to ensure their products are secure and to proactively address security vulnerabilities in their products. They also rely on being informed of any security incidents if they arise, but this doesn’t always happen, for example, when risks or incidents arise in a vendor’s supply chain. Government agencies generally have to rely on an extensive supply chain beyond the vendors with whom they directly contract, especially when it comes to cloud-focused products.
What technical controls and contractual requirements are needed to mitigate security risks?
From a legal perspective, it is important for agencies to implement a security-focused layer of contractual protections, including specific security features and control obligations, and remedies such as direction powers and performance incentives. Such a layer can be difficult to achieve as some vendors look to negotiate minimal and low-risk contractual commitments in the area of security.
Recently, the ACSC contributed to a report by various US security agencies about shifting the balance of cyber security risk. The report recommends that customers hold their manufacturers accountable for the security outcomes of their products. For government entities, that might include focusing on vendor approaches to the responsibility for data security when customers make procurement and purchasing decisions. This is especially true if vendors seek to make customers fully responsible for security outcomes. Agencies could consider whether cyber security issues require a greater focus in the specification of requirements and procurement process for ICT products and services.
One option for mitigating cyber risks within our government agencies is to require vendors to hold cyber risk insurance, where appropriate and taking into account the nature of the product or service being procured. However, this should not be viewed as a “silver bullet” for several reasons.
Cyber risk insurance held by a vendor only provides coverage for the vendor’s liability. If the vendor doesn’t have any responsibility for cyber risks under a contract, then there won’t be any vendor liability.
Limits on cyber risk insurance are also typically lower than other risks such as public liability or professional indemnity liability (and have been trending even further downward in recent years). So this insurance may not provide adequate coverage for the scope of cyber risks. This needs to be carefully considered in the context of relevant procurements.
Cyber risk insurance may also not cover the full scope of risks arising from an incident. Even if a vendor that holds cyber insurance makes an agency whole for its monetary losses, an agency may still suffer reputational damage and lose stakeholder and public confidence, which might affect the agency’s ability to perform its public functions.
Negotiating cyber security requirements may be easier if we also had some sort of statutory backing to, for example, oblige vendors and agencies to apply the best possible security by design features to ensure that systems that host sensitive data are built with the best possible security controls. It would make it an easier task to negotiate security arrangements with vendors and would also be effective in creating legal obligations to mitigate security risks.
Another possible measure for Australia may be to consider a Cyber Resilience Act to set out security requirements for products with digital elements, which is an approach that Europe is considering.
We should use Privacy Awareness Week to focus on these challenges and the opportunities to deliver better safeguards and privacy outcomes.
Caroline Atkins is a partner, and Nick Topfer is a special counsel, at Maddocks.