Global law firm Herbert Smith Freehills has published its Australian Cyber Ready survey, which shows that Australian organisations are increasingly concerned with cyber risk, and their preparations may not be aligned with the nature and extent of the risk.

The survey – which sought and received responses from more than 160 leaders from in-house legal teams – found that four in five respondents believe that cyber threats to their businesses have increased in the past year, but that preparations to meet those challenges are falling short.

Most concerning is the fact that three in five (58 per cent) say that it would take an actual cyber incident to meaningfully improve their organisation’s focus on data risk management.

This is despite almost 60 per cent of respondents saying they are worried about the risk of class action following a cyber incident in their business, with consumer sector respondents highest.

“Cyber incidents are followed by increasing material litigation risks that can be minimised with planning,” said HSF partner Christine Wong.

“There is a trifecta of risk, where we see potential regulator investigations, flow to prosecutions, then class actions litigation – either consumer, shareholder, or both.”

“With 83 per cent of survey respondents that are ‘very concerned’ about their data collection and retention practices also concerned about class action, the link between the source of liability and appropriate data collection and retention practices has been highlighted,” Wong said.

VIEW ALL

“Litigation risk can and should be planned for; making decisions ahead of a cyber incident on how privilege applies can not only remove risk but ensure effective response.”

Reputational damage is another risk that legal leaders are concerned about, added HSF partner Carolyn Pugsley.

“The leaders we surveyed are very attuned to the reputational damage that can flow from a cyber incident, but not all of their businesses are investing in the right level of preparation to mitigate that risk,” she said.

“One of the survey findings that most surprised us was that 50 per cent of boards had not participated in a cyber simulation. Managing reputation risk is a critical task for boards, and navigating an incident response in a manner that helps protect reputation and re-establish trust is a difficult balancing act.

“While management will take the lead in responding to an incident, a well-prepared board will become a response enabler through sound, rapid judgement calls.”

Reflecting on the findings, HSF partner and head of the firm’s cyber security practice in Asia-Pacific, Cameron Whittfield, said his feeling is that businesses and those on the front lines of cyber responses are “fatigued”.

“Operating with a constant and changing threat can create uncertain priorities, from the board to the management team and through to the frontline staff,” he said.

“We are continually hearing cyber ‘wake-up calls’ and that cyber is a business-critical consideration, but managing investment decisions and assessing what ‘good’ looks like remains a significant challenge.

“Respondents to our survey told us they would like clear guidance on best practice so that they can manage reputation risks, adequately protect their supply chains, and make sound investment decisions.

“In our experience, in-house legal teams are often front and centre when an incident occurs, and legal expertise is central to response. This is particularly so given the clear legal risks that may exist well after an incident has been triaged.

“We see the need to acknowledge [that] many cyber risks can be mitigated through basic cyber hygiene, and these mitigants involve technology or IT solutions.”