Op-Ed: Goldilocks and the cyber risk disclosure porridge

It might be a children’s tale, but Goldilocks is a useful lesson when working out what to do in a stressful situation, where there are competing legal obligations, judgement calls, and the future reputation and success of the organisation at stake.

On the hot stove of a cyber breach, it is easy to make disclosure decisions that can lead to poor outcomes, including overly hesitant disclosure (too cold), failing to comply with regulatory obligations, or thoughtless over-disclosure (too hot), which both can lead to serious outcomes in the long tail consequences of cyber breaches such as loss of legal privilege.

So, how do you make disclosure “just right”?

Pre-planning and having a clear policy and plan for what will be disclosed, to whom, and when will provide you not only with a clear set of actions to follow when the breach comes but also provide you with a defensible governance process should the regulators or litigators come knocking after a breach.

What disclosure is required?

In Australia, there are several different regulators that require you to disclose when you have a material breach, and the consequences for failure vary. These include the Office of the Australian Information Commissioner (OAIC) for privacy breaches; the Australian Securities and Investments Commission (ASIC) for market-relevant breaches for listed companies and Australian Financial Services Licence holders; the Australian Prudential Regulation Authority (APRA) for material cyber security weaknesses (with a 10-business day reporting requirement); and the Department of Home Affairs for Security of Critical Infrastructure operators (SOCI) under which organisations have only 12 hours to report an incident with significant impact and 72 hours for less serious incidents. The Privacy Act reforms have also flagged a 72-hour reporting window for the coming changes to the act, and anyone operating under GDPR already must meet these time frames.

There are further reporting requirements proposed under the Australian Cyber Security Strategy 2023–2030 for specific types of breaches such as ransomware.

VIEW ALL

What risk is “material” and what and when you are required to report is quite different for each of the disclosure and reporting obligations. Therefore, each disclosure decision must be evaluated based on the industry, applicable regulatory framework, the data it holds and other factors.

How to report also differs under each regulator, where some require submitting through emails while others, such as ASIC, mandate reporting through their online portals. The government has foreshadowed establishing a “single reporting portal” as part of its 2023–2030 cyber security strategy. However, the development and launch of the portal are some way off. There is a good resource available from the ACSC website (search for “single reporting portal”) that helps you to identify the reporting obligations applicable to your organisation and still does not minimise the disclosure red tape to just making a “single report” for a data breach.

What is the importance of defensible disclosure?

Defensible disclosure can help organisations focus on responding to the incident by minimising unnecessary questions. They have disclosed what could and must be disclosed at the time, without speculating on things they cannot yet know. They aren’t holding back entirely, which could be seen as hiding the facts.

Defensible disclosure (the right amount of information, at the right time, to the right people) equips the organisation to engage with the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP) in seeking technical incident response, decryption, and coordination of response support (in some cases). Disclosure of data about cyber incidents also supports the government in its national response to cyber security, and its protection of Australia’s national security, which can be impacted by cyber attacks.

Disclosure of information about cyber attacks can also help other organisations better defend and respond to attacks, contributing to the available threat intelligence and supporting the community, as a whole.

What are the risks/issues with non-defensible disclosure?

Depending on your industry, the type and seriousness of the breach, and the country you operate it, the consequences of poor disclosure, whether that is “too hot” or “too cold” can vary.

At the extreme end (UBER’s former chief information security officer Joseph Sullivan’s SEC prosecution in the US for failure to disclose), the consequences can be significant, including personal prosecution and jail time. We haven’t yet seen an example of jail sentences in Australia.

In Australia, we are still in the early stages of true “consequences” for poor disclosure, and we need to draw some parallels from cases in similar areas such as the GetSwift case in 2023. While not a cyber security breach case, ASIC brought a case for failing to provide continual disclosure, and the Federal Court agreed that fines of $15 million for the company, and fines of up to $2 million and up to 15-year bans on managing companies for former directors were appropriate. ASIC was explicit in its press release following the judgment that it would bring similar actions where companies failed to disclose cyber security breaches.

There are a range of consequences under the various regulations that require disclosure, including financial penalties:

• For SOCI-regulated entities of up to $55,000.
• For failing to disclose a market-relevant event to ASIC of up to $1.57 million for individuals and 10 per cent of turnover or $782.5 million for companies as well as criminal sanctions, including up to 15 years imprisonment.
• Of up to 10 per cent of an entity’s annual turnover for failure to report to the OAIC.

Disclosure isn’t just about disclosure to regulators either. Public statements made by the impacted organisation, such as press releases and statements to the media, can also have impacts on the long tail of activities following a breach. For example, the public statements regarding the forensic report produced by Deloitte in the Optus contributed to the reasons why the Federal Court of Australia held that the report was not covered by legal professional privilege.

Disclosure to government

The consequences of poor (or late) disclosure (too cold!) are not just regulatory fines and lawsuits. If an organisation is overly hesitant to disclose a breach to government entities able to assist in investigation (e.g., ASD), it can hamper its investigation and recovery efforts, with impacts that can reach far beyond the organisation and its customers and potentially reach into the realms of national security.

It is understandable that organisations would be reluctant to share information in a breach with any other party, government or otherwise, until it fully understands what is happening and what the likely long-term impacts are. With class actions and multiple government investigations quick to flow in the wake of the Optus and Medibank breaches, organisations must think about protecting themselves not just against the cyber attack but from the class actions and regulatory investigations that will follow. Information disclosed during a breach can come back and be used against the organisations when it is trying to defend against litigation and regulatory investigations.

ASD has recently noted that organisations have been hesitant to engage with the agency based on legal advice from lawyers inexperienced with cyber incident response, potentially hampering the investigation of the breach. While this has been put down to lawyers hampering the investigation, it stems from a hesitancy to make any information public that might add fuel to the fire that could burn the whole house down.

As part of the Australian government’s Cyber Security Strategy 2023–2030, the government is now proposing a “limited use” restriction on any information provided to select agencies during a cyber incident to increase rates of disclosure. The information provided to the ACSC or AFP could not then be provided by the government to the OAIC or ASIC. However, it is not yet clear whether the information would be discoverable under subpoena or freedom of information (FOI) in following regulatory or litigation actions.

How to make disclosure ‘just right’?

Making defensible disclosure during a cyber incident should consider the following factors:

• The legal and regulatory obligations of the organisation to report the breach, such as the Notifiable Data Breaches scheme under the Privacy Act 1988, the Critical Infrastructure Act 2018, or requirements for specific regulated entities such as ASIC’s requirements for Australian Financial Services Licence (AFSL) holders.
• The interests and expectations of the affected parties, such as customers, employees, shareholders, suppliers, or business partners, and how to communicate with them effectively and transparently.
• The benefits and risks of collaborating with the relevant government agencies, such as ASD, the Australian Cyber Security Centre (ACSC), or the Australian Federal Police (AFP), to mitigate the impact of the breach, identify the attackers, and prevent future incidents.
• The potential legal actions or investigations that may arise from the breach, such as civil lawsuits, class actions, regulatory enforcement, or criminal prosecution, and how to preserve evidence and protect privilege.

Measuring risk materiality

One of the core measurements that is considered in disclosure is the “materiality” of the breach.

The need for a consistent measurement of the materiality of risks was raised across the 39 submissions received by APRA in the public consultation for CPS234 in 2019. While APRA noted this request in its report on received submissions, it refused to provide a definitive materiality threshold.

So how should organisations consider what is “material” in a cyber incident and what and whether to disclose?

The Open FAIR™ Cyber Risk Quantification standard is a useful decision tool for the CFO and CISO to determine cyber risk materiality together. The paper, titled, CPS 234: Will you comply?, published by Actuary Australia, walks through how to apply FAIR to assess the materiality of cyber risks. Moreover, the Open FAIR™ Cyber Risk Quantification (CRQ) standard is named by NIST in NISTIR 8286 as the key enabler to integrating cyber security and Enterprise Risk Management (ERM).

As organisations do their incident response planning, they should include scenario planning for what will be considered “material” for their organisation based on their unique circumstances and regulatory requirements. Using an established standard, having a pre-agreed policy on disclosure, and including it in your organisation’s risk management planning is not only good practice but also helps to defend against future claims that you failed to adequately disclose.

What role does the legal team play?

Lawyers are there to help assess risk and protect their clients. In unfamiliar situations where decisions must be made, they try to shield their client from making decisions that might create future harm. This is their job.

Lawyers should seek to support disclosure that is required and where it will support the organisation in defending an attack and avoiding further harm. However, it can, and should, be done in a way that protects privilege and minimises the organisation’s exposure to future litigation. All public statements should be reviewed by the legal team to help ensure they strike the right balance.

What role does the CISO play?

The CISO plays a pivotal role in a cyber incident, bringing together the technical investigatory and response teams and the executive. They should be working hand in hand with the legal team on what needs to be disclosed and how to protect the organisation, not just from the breach at hand but also from the future consequences.

The work between legal and CISOs should not start with an incident. While a chief Information security officer (CISO) is responsible for protecting the organisation from cyber risk, a lawyer’s job is to protect the organisation from legal risk. Their roles overlap. Together, they can persuade leadership that cyber needs to be given the attention and funding it needs.