With the tightening of cyber regulations, many companies are now subjected to hefty fines should they become non-compliant. At the same time, these standards for compliance are also presenting themselves as the very prerequisites by insurers. That is, cyber insurers will only insure clients who prove that they have an adequate cyber defence posture. CTRL Group discuss the cyber regulations landscape and cyber insurance
There is no denying that technology nowadays is evolving at an exponential rate. Each day there is news of an invention, patent or development that will affect millions of lives. However, alongside the progress and innovation brought by technology, the risks emerging from it are also evolving at a rapid pace. You don’t have to be interested in technology or even cybersecurity to have heard about cyber-attacks such as hackers that have stolen millions from a bank, a ransomware gang that is blackmailing everything in sight or critical infrastructure that was infiltrated, leaving countless people with no power, clean water, or other vital services. Every organisation and every person are vulnerable to incidents such as identity theft, network penetration, phishing, ransomware and many other buzzwords. This proves how dangerous these cybersecurity risks are to our everyday lives.
Law and (Dis)order
In order to try and mitigate these cybersecurity risks, there needs to be clear standards and policies in place, to define the required actions from organisations to properly protect themselves and their clients, and to create a baseline for the minimal defence measured to be implemented, based on different characterises such as risk level, sector, possible impact, etc. This can also be affected by contractual obligations – for example, when doing business with entities that are regulated, your organisations might also have to meet certain security standards in accordance with that entity’s regulations.
A common policy that is recommended by The Australian Cyber Security Centre (ACSC) is the Essential Eight, a baseline of eight different mitigation strategies meant to make it much harder for adversaries to compromise systems.
In Australia, the responsibility for defining these policies, rules and standards is divided amongst several different regulators. Financial services, for example, are regulated by The Australian Prudential Regulation Authority (APRA) and The Australian Securities and Investments Commission (ASIC), but also need to adhere to the ACSC, The Australian Competition and Consumer Commission (ACCC) and other parties. Critical infrastructure businesses are regulated by The Department of Home Affairs and the Cyber and Infrastructure Security Centre (CISC), while the ASX also regulates its listed entities, regardless of their sector. On top of that, some businesses must be compliant with international regulations, especially in the financial services sector, such as the Society for Worldwide Interbank Financial Telecommunication (SWIFT)’s Customer Security Programme (CSP) that must be implemented by all users on their local SWIFT infrastructure.
This ‘regulation congestion’ is expected to increase in the upcoming years, as the Federal Government is planning to release new regulations, and the global trend is leaning towards creating binding agreements and regulations for the cybersecurity space, for example against ransom payments, certain certifications obligations for specific employees, liability for cyber defence and other issues related to cyber incidents.
A prime example for this is the new laws introduced to strengthen the UK’s cyber security provisions, adding the IT services sector to the list of sectors that are obliged to implement effective cyber security measures, mainly to address the phenomenon of supply chain attacks, that target service providers to cause maximum disruption to many businesses simultaneously.
Despite the high number of different regulators in the cybersecurity space, the Australian government is in the stages of implementing several new regulations in the near future – critical infrastructures, privacy act, the CORIE framework, parts of the cybersecurity strategy and other binding clauses currently being discussed, such as mandatory reporting of ransomware payments and holding company directors personally liable for cyber incidents. All these new regulations and clauses are expected to make compliance harder for Australian businesses that are not proactive in their approach towards cyber security.
The Security of Critical Infrastructure Act was published in 2018 and is meant to manage the national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. It is enforced by the CISC, which oversees enhancing the security and resilience of critical infrastructure to ensure essential services continue to be delivered. In December 2021, the act was updated to include more sectors – not just gas, electricity, water and transport, but also financial services, telecommunications, healthcare and more.
It also details “powers of last resort”, which effectively allow the Australian government to command a breached organisation to respond to the incident in a certain way, if certain circumstances are met (e.g., the organisation is un-cooperative or unable to properly respond to the incident, or the incident in high probability will risk social or economic stability of Australia, or its national security.
The Privacy Act regulates the way individuals’ personal information is handled. It is meant to give individuals greater control over the way that their personal information is handled. The current act was published in 1988, and the new act is currently in the stages of approval towards a final release in 2022.
The Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework is a regulatory framework published by the Australian Council of Financial Regulators (CFR) to continuously examine the Australian financial services sector’s cyber resilience. It relies on other international cyber security frameworks for the financial services sector and puts a strong emphasis on threat intelligence for financial organisations.
The Cybersecurity Strategy is meant to introduce stricter cybersecurity regulations to make Australia more resilient to cyber threats. Although published in 2020, some reforms are now being discussed due to a growing global threat landscape.
Cost of Doing Business
If all these regulations are not enough to convince you to stay cyber vigilant and enhance your security efforts, then these figures might: during the 2020–21 fiscal year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. It also reported an average of a cyber-attack reported every 8 minutes compared to one every 10 minutes last fiscal year. Out of these, ransomware reports specifically grew by 15 per cent between the two fiscal years. In total, Australian organisations reported losses of more than $33 billion from cybercrime over the 2020-21 fiscal year.
These inherent risks, along with the growing popularity of cyber-attacks and the knowledge sharing between nation-state actors and cybercriminals, virtually make it a necessity for any Australian business – not just in targeted sectors – to have a good security posture, not only to directly protect themselves from cybercriminals but also to be able to ensure themselves. Most insurance companies now demand their clients to prove they have a good security posture through an external audit before even discussing issuing cyber insurance.
Cyber insurance could prove to be critical in case of a cyber-attack, but not only for the recovery stage but also for the hefty fines expected for organisations who fall behind on demands: ACCC, ASIC and APRA have all recently stated they will put an emphasis on prosecuting non-compliant businesses and holding their management accountable. Similarly with foreign governments, if you do business overseas, expect similar regulations and enforcement levels in most Western countries.
Handling the Threat
After taking a deep breath and understanding that in the next few years your organisation will have to step up its cyber game or suffer from both cybercriminals and regulators, it’s time to start planning. What can you do to be prepared for the incident when it happens (and it will), and for the regulations that the government is expecting you to comply to?
First, it’s important to remember that mitigating cybersecurity risks is not solely the CISO’s job. It is a company-wide effort, that begins with identifying your business’ critical assets, risks associated with their use and their current exposure. After having that information, you can determine adequate controls, processes and policies from an informed position, reducing the risk to an acceptable level.
Here are some more recommended actions you can take to minimise the threat:
- Based on your business’ size, posture and sector, assess both your security threats and the relevant regulations you need to adhere to. This will help you plan your cybersecurity strategy accordingly and focus your efforts on relevant areas. CTRL Group recommend starting with The Essential Eight policy.
- Aim to minimise your organisation’s attack surface – this includes obsolete cloud assets, old servers that are no longer maintained and anything else that leaves a digital footprint of your business. The less of you to see, the more chances you will be overlooked by attackers.
- Be proactive – Taking a headfirst approach, changing things that do not work on the go and constantly aiming to assess and improve your security posture will make you a far less attractive target for attackers, who try to earn as much as possible with as little investment from their behalf. If your organisation is deemed as hard to penetrate, they will most likely move on to the next target on their list.
CTRL Group are a pure-play cybersecurity services provider and an authorised auditor of many cybersecurity standards and regulations. Our frontline cyber experts bring over 20 years of experience building and leading cyber and risk operations. Rest assured with CTRL Group’s data-based cybersecurity assessments, security uplift services and more.