COVID-19 and cyber attacks

The events of the last few days and the (apparently) ongoing cyber attacks against NZX and (it would appear) a range of other businesses provide another reminder about how much business life has changed in 2020. 

Just as many businesses, particularly in the retail sector, have been getting to grips with the need to pivot and conduct a much greater part of their activities online, we are reminded (mostly by media articles that don’t go into much detail – for obvious reasons) that the opportunities and threats presented by COVID-19 go hand-in-hand.  Hopefully, we will learn more about at least about any common factors in the latest attacks.  But it is clear that some have seen the need to move to a much greater level of remote working as an opportune time in which to ramp up the level of cyber attacks.

As is evident from the level of disruption suffered by NZX last week, the cost to business of such an attack can be enormous.

Regulatory action in Australia

Recently, the Australian Securities and Investments Commission (ASIC) has started enforcement action against an Australian financial advisory firm called RI Advice Group for failing to adequately address cyber-security risks.

Whilst the case is specific to both the regulatory framework that applies in Australia to the financial advisory sector and the firm in question (which suffered multiple hacking incidents that affected both the business and its clients – with both unauthorised payments and loss of (client) personal information) this action is regarded as something of a watershed because Australian commentators suggest that it shows:

• A regulator’s appetite to take enforcement action against companies that fail to meet reasonable standards in managing cyber security risks.  In turn, this suggests that regulators, other than just the Privacy Commissioner, may be prepared to take direct action (watch for the Commerce Commission also become interested in misuse of data by businesses).
• Regulator risk – in the sense of possibly diverging approaches by different regulatory agencies as to their expectations and concepts of best practice – in the Australian test case it is public knowledge the ASIC’s case relate to a small number of cyber-attacks “of a nature not uncommonly faced by Australian businesses”.
• Regulatory expectations that:
  • cyber security policies and procedures are suitably tailored to the particular business and its risks; and
  • appropriate remedial action is taken – including assessments and active steps being taken after an incident occurs (and not just ad hoc/one-off responses) and, where relevant, clients and customers are provided with relevant information about those remedial stops..

Governance issues

There are a number of IT experts who have provided commentary, both to the mainstream media and to their own audiences, about the key areas of vulnerability (and therefore focus) for most businesses seeking to attain better “cyber hygiene”.  These are management issues and company directors should be concerned to see that management is adequately across both the risk and protective measures.

To these steps (and the risk management plan) should be added:

• the need to check the extent of insurance cover; and
• make sure that the insurers are notified, in a timely manner, of any problems and the steps being taken to remedy them.
• where all or part of your IT support is contracted out – checking the terms of the contract so that all parties are aware of their responsibilities (and rights of recourse); and
• (as another one of the takeaways from our COVID-19 experiences) the need for the business to be particularly aware of its obligations in respect of personal information – with pending changes due to come into effect later this year

Further information

Please contact me should you have any queries concerning the information to be provided.