Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
17 Sep 2024
Insight
Global
3m read
Twelve months ago, our survey told us that corporate Australia had a lot of work to do to improve its cyber resilience – is this still the case?
Today, almost 80% of respondents to our Cyber Risk Survey believe the cyber threat to their organisation has increased compared with last year. However, our data shows that many are still not undertaking crucial preparatory work – perhaps one of the most jarring findings from our survey was that 58% of respondents said it would take an actual cyber attack to motivate their organisation to meaningfully improve their data risk management.
The traditional view of cyber risk and resilience is becoming harder to sustain. As companies continue to transform their digital capabilities, handle ever-greater data volumes, and transact with a complex array of third parties, their supply chains are subject to growing cyber vulnerability. Their attack surface has increased (and become less visible) and many are faced with the real prospect of regulatory intervention, cyber-related class action claims and long-term reputational damage.
Robust cyber resilience involves many parts of a business, but we believe it is time to acknowledge that technology and IT plays a disproportionate role in building cyber resilience. Many of the incidents we see could have been avoided through basic cyber hygiene and good technology or IT solutions.
We also observe that legal teams are increasingly front and centre. This was evident in our survey last year and is reinforced in 2024. In the immediate aftermath of an incident, legal expertise is essential in assessing the impact of an attack, preserving evidence, ensuring regulatory compliance, navigating communications, managing notifications and helping the business engage with stakeholders.
Boards also play a significant role. Key decisions, including those relating to disclosure, threat actor engagement and extortion payments often reside with the board. Despite this, half of our respondents say their boards have not been through a cyber simulation, 30% have not been educated about cyber risk in the last year and 36% have not yet decided whether they were open to paying an extortion demand. Clearly there is a lot more to do.
We can always work harder or spend more on the technical side of the ledger. The challenge for many organisations is whether the investment is sufficient to align with the company’s risk profile – what does good look like? What resilience measures are sufficient? Many are turning to the Government for guidance, and more than 50% of our respondents think the Government needs do more to address cyber risk.
Throughout 2024, we interviewed high profile cyber leaders (in the private and public sector). Similar messages are coming through: protect the network you have, not the network you think you have, select a standard and measure yourself against it, invest in early detection tools and basic cyber hygiene, review your supply chain and have a good incident response plan.
This year, we surveyed more than 160 legal leaders, with the overwhelming majority comprising group general counsel, senior legal counsel, divisional general counsel or equivalent. Sectors represented include financial services, consumer and retail, infrastructure, private capital, technology, and energy and resources.
This report tracks the evolving perspectives of in-house legal teams amid a rapidly changing cyber landscape. Fresh data is supported by insights from our firm’s industry-recognised experts from across the Asia-Pacific region in cyber, regulatory, corporate advisory, dispute resolution and insurance. Our research reveals that while Australian organisations are becoming increasingly concerned with cyber risk, their legal preparations and activities are not yet proportionate to the severity of the threat.
Cameron Whittfield
Partner – APAC Cyber Security Head
Explore key findings
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024