Follow us

In a survey of over 160 in-house legal leaders, 80% of respondents told Herbert Smith Freehills that the cyber threat to their organisation has increased in the last 12 months, but the preparations required to meet the challenge are still in need of work.

58% of respondents believed it would take an actual cyber incident to meaningfully improve their organisation’s focus on data risk management.  

“My concern is that those businesses, and those on the front line of cyber response, are fatigued” says Herbert Smith Freehills’ partner and APAC Cyber Security Head Cameron Whittfield.  

“Operating with a constant and changing threat can create uncertain priorities, from the board to the management team and through to the frontline staff.  

“We are continually hearing cyber ‘wake-up calls’ and that cyber is a business-critical consideration but managing investment decisions and assessing what ‘good’ looks like remains a significant challenge. 

“Respondents to our survey told us they would like clear guidance on best practice, so that they can manage reputation risks, adequately protect their supply chains, and make sound investment decisions. 

“In our experience, in-house legal teams are often front and centre when an incident occurs, and legal expertise is central to response. This is particularly so given the clear legal risks that may exist well after an incident has been triaged. 

“We see the need to acknowledge many cyber risks can be mitigated through basic cyber hygiene and these mitigants involve technology or IT solutions.” 

Reputation risk of greatest concern  

Survey respondents listed reputational risk as their top cyber risk concern ahead of third-party risk, underinvestment in systems or infrastructure, aged data stores, and lack of cyber expertise.  

“The leaders we surveyed are very attuned to the reputational damage that can flow from a cyber incident, but not all of their businesses are investing in the right level of preparation to mitigate that risk” observes Herbert Smith Freehills’ partner and governance expert, Carolyn Pugsley.  

“One of the survey findings that most surprised us was that 50% of boards had not participated in a cyber simulation. Managing reputation risk is a critical task for boards and navigating an incident response in a manner that helps protect reputation and re-establish trust is a difficult balancing act.  

“While management will take the lead in responding to an incident, a well-prepared board will become a response enabler through sound, rapid judgement calls.”  

Litigations loom large  

Close to 60% of survey respondents shared that they are concerned about the risk of class action following a cyber-incident in their business, with consumer sector respondents highest.  

“Cyber-incidents are followed by increasing material litigation risks that can be minimised with planning” shares Herbert Smith Freehills partner in contentious privacy and data disputes, Christine Wong.  

“There is a trifecta of risk, where we see potential regulator investigations, flow to prosecutions, then class actions litigation – either consumer, shareholder, or both.  

“With 83% of survey respondents that are “very concerned” about their data collection and retention practices also concerned about class action, the link between the source of liability and appropriate data collection and retention practices has been highlighted.  

“Litigation risk can and should be planned for, making decisions ahead of a cyber incident on how privilege applies can not only remove risk but ensure effective response.  

“We are increasingly working with corporates who are considering litigation tactics such as injunctions in their preparations, as another tool in their cyber response arsenal.”  

Are you cyber ready?

Australian businesses grapple with cyber resilience in 2024

Herbert Smith Freehills Cyber Risk Survey

Key contacts

Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

Cameron Whittfield
Carolyn Pugsley photo

Carolyn Pugsley

Partner, Melbourne

Carolyn Pugsley
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong

Media contact

For further information on this news article, please contact:

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Sydney Australia Perth Brisbane Melbourne Cyber Risk Advisory Data Protection and Privacy Commercial Litigation Class Actions Digital Legal Delivery Technology, Media and Entertainment, and Telecommunications Technology, Media and Telecommunications Consumer Cameron Whittfield Carolyn Pugsley Christine Wong