2024 ‘another big year for cyber’ following massive breaches and resulting OAIC investigations
Following several high-profile data breaches affecting millions of Australians, cyber security and cyber attacks have had a massive impact on the legal profession in recent years. Here, cyber and insurance partners share their predictions for what 2024 will hold for the space.
The rate of cyber crime in Australia – and globally – has surged over the last two years, with 83 per cent of organisations revealed to have been hit more than once. In fact, as cyber partners told Lawyers Weekly late last year, the global number of ransom demands from cyber criminals seeking to extort law firms “has doubled in 12 months”.
“We predict an increasing number of cyber attacks against Australian business of all sizes and across most sectors. Once again, ransomware will be the biggest threat faced, along with data breaches and social engineering fraud,” he said.
“In response, we expect a higher degree of government focus on cyber risk. This includes: material progress with regulatory reforms impacting cyber, particularly the long-awaited modernisation of the Privacy Act; a more proactive privacy commissioner who uses enhanced and wide-ranging information collecting and enforcement powers; continued focus on cyber risk by ASIC, the ACCC and the Department of Home Affairs; and government agencies playing a more proactive role in assisting Australian businesses protect themselves from cyber risk and assist with responding to incidents.”
Clayton Utz partner Brenton Steenkamp echoed a similar sentiment – and warned of regulatory bodies increasingly cracking down on data breaches.
“Australia continues to see a significant rise in the number of cyber attacks on its shores, and with the government playing an increasingly proactive and prominent role in cyber security, the Office of the Australian Information Commissioner (OAIC) taking a more aggressive approach, and the threat of business leaders being held personally liable in the event of a breach, we are seeing the risk profile shifting dramatically. We are moving towards a threat and risk environment which requires greater involvement at board level,” he said.
“Currently, I am seeing a disconnect between board expectations and the operational reality at businesses. There is also a significant gulf in the strength of cyber prevention and preparedness strategies and their effectiveness in reality. Boards will be increasingly and proactively looking for ways to validate their cyber posture from a risk and governance perspective and ensure they are in a safe position to act accordingly.”
Flow-on challenges and costs
Last week, the Federal Court dismissed Medibank’s attempts to shut down an investigation into its October 2022 data hack and approved an OAIC investigation.
In its recent half-year results, Medibank announced it had spent $17.6 million on “non-recurring cyber crime costs” after its breach in 2022. A further spend of between $30 million and $35 million is expected throughout the financial year 2024 for “further IT security uplift and legal and other costs related to regulatory investigations and litigation,” not including any costs associated with regulatory investigations or litigation. In FY23, Medibank spent $26.2 million on costs associated with the breach.
The insurer was hit with a $250 million penalty in June last year following the 2022 breach affecting 9.7 million current and former customers and resulting in numerous class actions.
The Medibank breach followed “potentially the most serious privacy breach in Australian history” (at the time), whereby millions of Optus customers had their names, dates of birth, phone numbers and email addresses stolen by cyber criminals, as well as license and passport numbers in some cases.
BigLaw firm HWL Ebsworth was also the victim of an attack in May of last year, which has since resulted in an OAIC investigation into the firm’s personal information handling practices.
The Tasmanian government, files of the Queensland state government, the federal Fair Work Ombudsman and local neobank Judo Bank were among the major clients impacted by the breach.
IP services group IPH Limited also had to halt trading after it detected unauthorised access to a portion of its IT environment in mid-March last year.
In its FY23 financial results, the breach was revealed to have cost $2.8 million. In its recent half-year 2024 results, however, the firm stated that its Australia and New Zealand holdings had returned to growth, with revenue up 21 per cent to $274.4 million and chief executive Dr Andrew Blattman confirming that the firm expected to return to their “target gearing range during CY24”.
In an interview on cyber risk on the firm’s website, MinterEllison partner Shannon Sedgwick said that “across the entire spectrum of many organisations, there is a misunderstanding of how to respond to a cyber incident”.
“Many organisations think that having a high-level incident response plan is a panacea or a cure-all for all of their cyber security ills. But what they don’t often have are incident-specific playbooks. These are necessary because the response to a ransomware incident materially differs from the response to a business email compromise. Likewise, the playbooks need pre-prepared draft stakeholder communications that are ready to employ when it is time to disclose the nature and implication of a breach to stakeholders,” he said.
“The playbooks must be specific to an organisation and rehearsed to ensure they work for their environment. A ‘copied and pasted’ plan will not work because it’s not specific to the organisation and has yet to have the organisation’s team, such as IT, risk, the board, counsel, and insurers, involved in creating it.”
Best practice and ‘cyber preparedness’
Cyber security has been a key issue for organisations across a range of sectors, including legal, with companies urged to implement protective measures such as cyber insurance and take a closer look at their positive security obligations – particularly smaller firms, where the costs of a breach could be detrimental.
Breaches can also have a substantial impact on the insurance space, as “cyber resilience” and “cyber preparedness” continue to be vital for organisations of all sizes in 2024, Sparke Helmore insurance partner Jehan Mata said.
“Some hot tips for the insurance industry to stay ahead of cyber threats include keeping up with judicial decisions and legislative changes, which will act as a guide for insurers on the appropriate wording of definitions and insurance risk clauses, keeping a look-out for the use of AI and any reported risks, and considering professional indemnity risks, particularly for brokers; understand cyber policies, coverage amounts and the impact of exclusions,” she explained.
“The health sector should remain on high alert as security reports suggest the sector is a major target. Security hygiene, attack preparation, security tools and adaptive technologies need to be considered, particularly for small practices.”
In 2023, Colin Biggers & Paisley partners Katherine Jones and Morgan Lane added, there was an average of one cyber crime every six minutes, a trend the pair said would continue this year as cyber attacks become more sophisticated.
“We expect AI to become more commonly used as businesses see the commercial advantage of doing so and staff become more comfortable with the benefits AI tools provide. For instance, AI location services will be less seen as tracking and more seen as ‘where can I find the needle in the haystack?’ The productivity gains in a large language model (LLM) being applied to analyse large and massive datasets (especially those already owned by a business) will see businesses use AI for managing corporate and compliance risk, customer relationships, supply chains, product development and more. In this sense, AI will deliver faster analysis, better certainty and measurable margins for error,” they said.
“In respect of cyber security, we expect to see more sophisticated cyber attacks; however, this will be countered by AI that will form the cornerstone of cyber resilience and the ability to defend against attacks. If the Privacy Act Review Report’s 116 amendments are implemented in 2024, there will be an impact on small businesses [that] experience a breach, with changes to reporting obligations, removing an exemption that covers employee records and changes to what is considered to be ‘personal information’.
“Comments by ASIC have put boards on notice to prioritise cyber resilience, which we expect to lead to an increased number of prosecutions where boards sit on their hands and there are repeated or flagrant breaches.”
Similarly, Mr Steenkamp emphasised that for further cyber risk mitigation, increased board engagement will be needed moving forward.
“‘Good cyber governance’ will require a closer and more active management and the board engagement on cyber risks, particularly when dealing with privacy and regulatory issues with legal, liability and reputational implications. To better safeguard against cyber risks as a whole, we will start to see greater and earlier legal involvement in cyber security risk mitigation,” he added.
“The management of director liability requires it to ensure there are robust defences in place. It also helps ensure incident response processes, contractual agreements, and governance structures are tuned to limit the risk of successful legal action by increasingly litigious regulatory authorities and customers.”
If an incident does occur, investigations can be a long process – and Mr Sedgwick added that “finding a balance between disclosing too early or avoiding disclosure and potentially appearing to obfuscate the truth while giving assurance to the various stakeholders is very difficult”.
“Rehearsing incident response is the only way to understand the operational realities of incident response at the board level through an organisation to a tactical level. Boards and senior management must consider whether they will get accurate or timely information from a stressed- and burned-out workforce. Such information is relied upon to inform the market and the regulator. If inaccurate, there can be consequences, including the organisation’s reputation,” he explained.
“The response team need to know that the leadership has their back and that they’ve got all the support – including bringing in external vendors to alleviate the pressure – that they need to do a good job.”
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.