Search

Quality and consistency through collaboration

All.FirmWide services.Cyber and Privacy

In my paper on Risk and Business Continuity Planning – Cyber Management in E Conveyancing,  I discussed some developments in cybersecurity risk and the need to implement a range of cyber protections.

In that paper I addressed some aspects of risk governance and Business Continuity Planning. Following on from those concepts this paper addresses the protection of confidential information and the management of third parties, including supply chain risk.

In today’s interconnected environment,  every enterprise holds significant amounts of data and deals with a range of third parties (such as clients, banks, insurers and suppliers). However, we often have little visibility of how those third parties may access our data/systems and impact our business.

 In its 2023 Pulse Survey, ASIC noted that:

‘two-thirds of participants indicated they had limited or no capability to protect their confidential information. The results also showed that:

› 29% of participants do not encrypt confidential information

 › 31% of participants do not have controls to prevent unauthorised transmission of confidential information, and

› 40% of participants do not manage their data destruction. ‘[1]

For many organisations information and data is a key asset, if not your most critical asset. And even if it is not, any kind of  data leak has the potential to adversely affect your business’s reputation and financial position.

Identify and protect your information

Businesses therefore need to identify and protect their data assets. This is not necessarily an easy task.  Information asset identification is now a critical task for directors and senior managers.  Further, for data that constitutes ‘personal information’ within the meaning of the Commonwealth/State/Territory Privacy Act, businesses should undertake Privacy Impact Assessments to identify personal information data flows and implement protections for that data commensurate with the potential consequences of that data being accessed, used or disclosed in an unauthorised way.

The protection strategies referenced in the Australian Signals Directorate’s (ASD) Essential Eight, for example, keeping your IT system patching up to date and introducing multifactor authentication will assist to protect information assets.

Risk of retaining too much information

Separately, it is now fairly common for businesses to retain vast amounts of data (a data lake)—including data that is out of date and significant amounts of data that the business may not actually need. Businesses have become data ‘hoarders’. Moving forward, better practice is to develop effective data capture and data destruction practices. Questions to consider include: are you collecting only the information that you actually need to run your business? Do you have systems in place to ensure the accuracy of the information over time? Do you have systems in place to delete or destroy data appropriately?

ASIC has described better practices as including:

‘developing and enforcing a data retention policy that specifies how long data should be retained and when it should be securely destroyed

› using secure data destruction methods appropriate to the data type and media (e.g. shredding physical documents, degaussing magnetic media and securely erasing digital data)

› establishing data destruction procedures for secure disposal of data

› considering reputable third-party data destruction services for physical media, and

› conducting regular audits and inspections of data destruction processes to verify effectiveness.’[2]

Third parties

In relation to third party supply chain risk, ASIC noted  in its 2023 Pulse Survey that:

 ’ A concerning 69% of participants indicated they had minimal or no capabilities in supply chain and third-party risk management. In particular, 58% of participants indicated they do not test cyber security incident responses with critical suppliers.’[3]

Nonetheless, interconnected  third parties could adversely infect your computer networks. The APRA Prudential Standard CPS 230 at rule 27 provides that an APRA regulated entity must:

(a)      maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must: maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;

(b)      identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls; and

(c)       undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies.

While APRA regulates a limited part of the environment i.e. banks and insurers, the APRA advice  is useful advice for all businesses.

In terms of what you can do to protect against third party risk, your business should add third party risk to your cyber security risk profile and also training schedule for staff. More specifically you should implement controls on who can access your IT systems. Implementing  the ASD Essential 8 will also assist to address this issue through addition of access controls, multifactor authentication as a pre requisite to systems access and addition of encryption protocols to protect your confidential information.

In relation to third parties you need to identify third parties who access your IT systems. Indeed, a simple and relatively cost effective first step is to ensure physical security protections are in place at  your premises—don’t just let contractors wander around. Ensure that contractors are identified, monitored, escorted, or otherwise have limited access.

Conducting due diligence on third party suppliers is a useful and highly desirable task. It is potentially resource and cost intensive which may prove to be problematic for small businesses. But is now common practice for many larger organisations such as  banks, government entities and  enterprises that fall within the scope of the Security of Critical Infrastructure Act 2018. For example, many of these organisations issue in-depth cyber questionnaires to potential suppliers before engaging them.

Separately, you should include general security and specific cyber security obligations in all contractual documentation with third party suppliers.

If your business is a smaller organisation that does not have the resources to implement a full scale cyber protection model,  you should seek cyber advice and your risk management planning should prioritise critical assets and identify key risks.

Be proactive

These protections are not set and forget; you need to monitor and test them regularly. In doing so you should also test your supply chain protections by involving critical third parties in your regular cyber-testing operations.

Apart from protecting the value of your business by adopting appropriate cybersecurity risk management, regulated businesses should be aware that ASIC has indicated that directors and potentially senior management need to implement adequate cyber security management in order to fulfil their fiduciary duty of care and diligence under the Corporations Act 2001. Consequently, directors and senior management are on notice that ASIC may bring an action in respect of any cyber security tardiness.

 

 

[1] ASIC November 2023 | REP 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023, p 13.

[2] ASIC November 2023 | REP 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023, p 15.

[3] ASIC November 2023 | REP 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023

 

Return To Top