Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
17 9月 2024
Insight
Global
5m read
Fast moving technology
In many respects, we are all still learning about the future technology impacts on cyber risk. Many commentators cite AI and generative AI, as both a force for good in fighting cyber crime, and as a force for bad in being exploited by threat actors. One thing we can all be sure of: emerging technologies will move at pace.
Recently, we have seen the mass compromising of business emails involving deepfake technology, not dissimilar to the attack suffered by engineering company Arup, in February 2024. This resulted in a HK$200 million fraud. We are aware of threat actors joining incident response video conferencing. It is fair to say that our adversaries are looking to exploit this development, which has accelerated even in the last few months due to rapid technology advancements.
The fact remains that many threat actors would prefer to attack using minimal effort. Indeed, this is why basic phishing exploits remain common place and effective. However, as AI becomes more accessible and deepfake technology proliferates, we can certainly expect this to become an increasing part of the threat actor arsenal.
The development of quantum computing should be watched with interest. In our recent conversation with Penn, he drew attention to a concern that many organisations have deprioritised: the vulnerability caused by reliance on encryption to advancements in AI and quantum computing. “We are going to have this Y2K moment but we don’t know the date,” he said.6 In the context of an evolving threat landscape, Penn suggested that “success can’t be defined as eliminating the digital threat; it has to be defined by learning to live with it”.7
Privacy reform
“For a little while there has been a culture that more data is better,” says Special Counsel Kaman Tsoi, who advises clients on privacy and data protection. “It was fuelled by the boom in data analytics and cloud services. Companies where thinking ‘Storage space is cheap, let’s hang onto our data just in case. And we might find some way to monetise it down the track’. Keeping it all became easier than deciding what to get rid of and when.”
Unfortunately, as many companies experiencing large-scale data breaches have found: too much data can be a problem when things go wrong, especially when the data is personal information. Several incidents have had consumers and media questioning why companies held such old data in the first place. In this context it is not surprising that, of the 75% of organisations taking steps to review their data collection and holding practices, 78% are focusing their efforts on reducing aged data stores.
Data retention has been a sleeper issue in relation to Privacy Act compliance for some time. However, we expect it will be brought back into focus in upcoming law reform. Specifically, certain companies may be required to establish minimum and maximum retention periods for personal information, as well as to specify retention periods in their privacy policies. The reforms may also create more flexible enforcement options for the Information Commissioner, including low and mid-level breaches. “At the moment, enforcement tends to be more focused on bigger incidents so there is a lot going under the radar,” Tsoi says.
According to Emily Coghlan, the volume of data stored by businesses continues to mushroom. Data sources are also expanding, with new and emerging technologies creating additional challenges. This means organisations that have not been systematically reviewing and deleting their aged data have extraordinarily backlogged volumes. These companies are also potentially highly exposed in the event of a cyber incident.
This will not come as a surprise to our survey respondents: while only 33% express concern regarding their organisation’s data collection and retention practices, 58% consider it would take a cyber attack to meaningfully improve their organisation’s focus on data risk management.
Of the organisations taking steps to review their data collection and holding practices:
These statistics paint a sobering picture of complacency and inertia. But they should be taken in the context of protracted delays to anticipated reform. “Many legal leaders have not had the bandwidth, budget or executive buy-in to meaningfully address data concerns in a privacy landscape in limbo. In particular, we know clients are waiting to see words on a page and bipartisan support for the proposed reforms before green-lighting the adoption of certain AI tools.” says Heather Kelly.
Developing ethical frameworks around the use of data is becoming important as more organisations contemplate use cases involving machine learning and generative AI according to Coghlan and Tsoi. This will involve balancing the opportunities from AI with the risks that come from hanging on to potentially irrelevant data. For example, it may be possible for a business to de-identify all its customers transactions for the purposes of generating insights from an AI model. However, attempting to obtain insights at the individual customer level will more likely require greater risk assessment, transparency and fairness under new privacy provisions.
Many legal leaders have not had the bandwidth, budget or executive buy-in to meaningfully address data concerns in a privacy landscape in limbo.
Heather Kelly
Senior Associate
The 2023–2030 Cyber Strategy: A quick fix or a slow burn?
Implementation of the 2023–2030 Cyber Strategy is taking shape, albeit very slowly. It was released in November 2023 and we are yet to see meaningful legislative outcomes from an ambitious two-year Action Plan.
Our survey shows that most participants are familiar with the strategy, but do not have a view on it. Of those who are familiar with it, 17% support its reform agenda, while the same percentage (17%) think its proposals did not go far enough in addressing cyber risk relevant to their organisation. Concerns about the strategy shared via the survey are consistent with what we are hearing from clients – in particular, concerns about information (including threat intelligence) sharing and a lack of clarity around 'no fault' reporting. We share these concerns and look forward to further guidance in the months ahead.
More than 50% of survey participants believe the Government could do more to address potential cyber security risks to the Australian economy.
Whittfield is concerned that the Australian Government has bundled the Minister for Cyber Security in with a number of other portfolios, following a ministerial shake-up announced on 28 July 2024. “While we may not need a standalone Cyber Security Minister, cyber is now simply one of a large number of significant portfolios assigned to a single minister. There is a risk of cyber being deprioritised at a time when we need it to be front of mind,” Whittfield says.
The ministerial restructure is noteworthy given the emphasis placed on strengthening the Australian Government’s cyber resilience in the 2023–2030 Cyber Strategy. In July 2024, the Department of Home Affairs acknowledged it had made limited to no progress against the majority of action items pertaining to public sector security and sovereign capabilities in the Horizon 1 Action Plan, including uplifting the cyber security of the Australian Government8.
There is a risk of cyber being deprioritised at a time when we need it to be front of mind”
Cameron Whittfield
Partner - APAC Cyber Security Head
This follows a report published in June 2024 by the Australian National Audit Office,9 which identified ongoing low levels of cyber resilience in non-corporate Commonwealth entities.
But credit where credit is due. In the time Clare O'Neil MP, now federal Minister for Housing, held the country’s first cyber ministry portfolio, we believe the Government demonstrated great focus and engagement regarding cyber. It appointed an Expert Advisory Board to advise on the development of the 2023–2030 Cyber Strategy, and released the strategy and accompanying Action Plan. It established a National Office of Cyber Security and appointed a National Cyber Security Coordinator. It also introduced new cyber security legislation to improve information sharing and mandate the disclosure of ransom payments.
Key contacts
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024