Cyber duties

Changes to the law have made cyber security a board responsibility. Patrick Fair outlines the fundamentals that every company officer should know about cyber security oversight.

Businesses depend heavily on digital information and many operate partly or entirely online. A security breach can threaten trading platforms, intellectual property, customer information and reputation. In addition, the Federal Government is planning to introduce mandatory data breach notification legislation this year. In this context cyber security has become a board responsibility.

What should a company officer know and what systems and procedures should he or she review in order to discharge responsibility for cybersecurity oversight? Some fundamentals are set out below.

Identify information

Directors should be aware of the scope of information that the business holds and manages and understand the practical and legal significance of that information to the enterprise.

Some information may be subject to fiduciary and confidentiality obligations, regulated by the Privacy Act and/or subject to a higher standard of regulation as “sensitive information”. Some information is business critical and other information is held only for compliance reasons or to manage contingencies. In addition, your industry may be subject to specific rules that control the way you collect and use certain types of information.

Understand your IT systems

It is important to understand where information is located, who has access to it, the strategy behind the design of the system and its strengths and potential weaknesses.

Company IT systems comprise many diverse parts that are, most probably, provided or supported by a range of specialists. It is likely that:

  • Only part of the system hardware will be located on premises.
  • The system will make information available to third-party business partners, IT infrastructure service providers and support providers, and connect to geographically remote parts of your business operation.
  • Key elements of the system may (ideally they would) have redundancy or available substitutes.

Data sovereignty issues arise if company information is to be stored overseas or made accessible by an offshore service provider. Information is subject to the laws of the place where it is stored and service providers are also subject to the law of the place where they conduct business. This means that foreign law enforcement agencies and national security agencies may be able to access the relevant information without your knowledge. For many businesses and many foreign jurisdictions, exposure of this kind is not an issue.

However, it is important to consider what representations or undertakings have been given to customers regarding the safety and security of their information and whether or not information about your enterprise, or your customers’ business would be of interest to a foreign government. Australian privacy law makes Australian corporations strictly responsible for breaches that occur offshore.

What controls are in place?

There should be a strategy to prevent the installation of malware and the unauthorised access to company information.

Controls should involve physical security, technical measures and awareness training. This will ordinarily mean that:

  • Access to internal company information should be controlled in accordance with work responsibility. Employees should only be able to access the information necessary to the performance of their job.
  • Similarly, third-party suppliers should only be able to access information necessary for the provision of business services to the enterprise. Technical support and services should not be able to make use of company information for any purpose other than the provision of services.
  • Management, employees and third- party providers should be provided with, trained in and able to review company policies that outline these arrangements at any time.

Policies and procedures

Fundamental to IT security is due diligence on third-party suppliers, clear contractual relationships with those who have access to your systems and suitable review and timely checking of compliance with contractual obligations. Your business should have a standard questionnaire(s) that it provides to prospective suppliers in order to evaluate the standard of security they implement and maintain.

Your business should have procedures to ensure that suppliers are maintaining the standards promised.

In 2016, traditional contractual arrangements that deal with confidentiality during negotiations, protection of personal information and confidential information are inadequate. Your organisation should have a standard set of clauses that protect customer information and business information disclosed or made accessible to the third-party suppliers during the supply term. These should also go further to protect statistical and operational information regarding your business, which can be collected, created and/or analysed by the third-party as the result of its interaction with you and/or your customers.

Your business should have procedures to ensure that suppliers are maintaining the standards promised and taking steps to address security weaknesses when identified.

As an officer of the company, you should ensure that the training is refreshed and that any security weaknesses that are identified are reported and effective remediation implemented.

Cyber security constitutes not only the design of the IT system but also the knowledge, skills and practices of employees. It is almost impossible to prevent any system from installing and loading software at the request of an authorised operator. The risk of compromise through social engineering is often underestimated. It is vital that the modern business has regular security training for new employees and provides updates on the latest threats.

A comprehensive guide to the elements of inadequate security framework has been set out by the United States National Institute of Standards and Technology: the NIST Framework. There are a range of ISO-security standards to which the business can be certified and others which constitute best-practice recommendations.

As an officer of the enterprise it is not your role to review the detail of these policies and procedures. However, you can ensure that the business has a culture of compliance indicated by a comprehensive set of policies, regular review processes and regular board reports. Consider asking when the business last conducted penetration testing and for a report regarding the results of the last audit on compliance with security obligations by the businesses suppliers.

Responding to a breach

The policies and practices described above will not prevent every security breach. The risk can be reduced but the possibility cannot be eliminated entirely. Your enterprise should have a security breach response plan that aims to manage methodically the issues and risks associated with a security breach. The plan should provide for analysis and assessment of the loss and steps to prevent and/or limit ongoing loss and damage.

The investigation into any breach that is discovered should be conducted in a way that preserves forensic evidence that might be required for litigation or to assist the investigation of a regulator. It should identify the parties who potentially need to be informed and plan for the formulation of a communication strategy dealing with customers, employees, the public and the regulator. The impact on regulatory obligations in all relevant jurisdictions must be considered, insurers notified and possible pursuit of the perpetrator considered.

Conclusion

Some security breaches do not cause real loss and are quickly remediated. Others have led to the resignation of the CEO and caused substantial trading losses to the affected entity. On the plus side, good cyber security can also be a competitive advantage. A business which is distracted dealing with the consequences of a data breach and/or engaged in litigation attempting to recover or prevent the communication of its corporate information is not a business focused on serving its customers.

Attention to these issues is now an important part of protecting the modern enterprise and assuring its future.