Wednesday, 13 April 2022 The amendments proposed to the Security of Critical Infrastructure bill swiftly passed through Parliament on 31 March 2022 and came into effect on 2 April. Many impacted organisations now need to comply with mandated risk management programs, government reporting and other obligations. The resistance of some organisations and industries to the proposed new security measures, designed to safeguard not only them but society at large, is perhaps unsurprising but also short-sighted. Financial concerns are at the root of their resistance. A significant proportion of organisations captured under the federal government’s broadened definition of critical infrastructure are now protesting the costs of implementing what they perceive to be mooted cyber risk management programs. However, this clearly illustrates how many organisations simply do not understand that the damage wreaked by a single data breach can far and away exceed any financial outlay on mitigating cyber risk in the first place, let alone when multiple incidents occur over time. Industries identified as belonging to the Critical Infrastructure Sector in the Security of Critical Infrastructure Bill 20181 are: Electricity, gas, water and Maritime ports sectors Communications Financial services and markets Data storage and processing Defence industry Higher education and research Energy Food and grocery Health care and medical Space technology Transport Water and sewerage. Organisations in these industries who own or manage critical infrastructure assets are required, among other activities, to adopt and maintain a critical infrastructure risk management program. Additional cybersecurity obligations have been defined for organisations who own or manage systems of national significance. The extra costs such activities will incur have sparked outcry from an array of organisations. Hospitals with ICUs, for instance, could be called on to spend around $8.5 million in their first year and $5.8 million annually thereafter on risk management programs to secure their data and systems. Yet major private health providers, along with the heads of major universities and other institutions deemed of national significance, are telling the government they “simply cannot afford it”, with one provider even citing a seven per cent drop in earnings if forced to comply with a cyber risk program.2 Such statements belie a complete lack of comprehension around potential ramifications of a full-scale cyber attack. From putting a complete stop to operations for days, weeks or months, to the prospect of large-scale class action triggered by privacy issues surrounding data breaches, a cyber incident can both reduce earnings and take any organisation to the point of collapse. Organisations that experienced a breach in the past are also not immune from more incidents in the future, only further increasing the overall risk and potential costs. Insurance premiums are another area greatly affected by cyber-attacks. One insurer in the US denied a $1.4 billion claim by German multinational science and technology company Merck based on a “war clause” – only to be forced to pay after a court found in favour of the claimant after several years.3 While the outcome was fortunate for Merck, such cases only serve to force insurance premiums higher in the long run, a factor placing even greater emphasis on the importance of shoring up company cyber defences in the first place. Capabilities of perpetrators – referred to as ‘threat actors’ – have risen exponentially in recent years. Time and again they have proved their proficiency at paralysing operational systems of any number of major organisations, from government offices and banks to hospitals, universities and financial institutions. Data is either stolen, or frozen, and victims are often forced to pay ransoms running into the millions of dollars, or more, simply to regain control of their organisation and its confidential information. But that is not where the costs of a breach stop; a multi-million-dollar ransom is merely a single component. Cyber breaches have devastating ripple effects on company bottom lines due to costs involved with restoring critical systems, employing extra staff, time delays in general and, importantly, dealing with litigation over the leaking of personal information into the public domain. Educational and healthcare institutions are particularly vulnerable due to the disparate and open nature of the operational systems they use to function and manage large swathes of data. In late 2018, the Australian National University (ANU) suffered a massive data breach when hackers gained access to 19 years’ worth of data.4 The perpetrators gained complete control of information regarding the university’s human resources, finances, student administration and more. Last year, Melbourne’s RMIT University fell victim to a phishing attack and, while no data breaches were recorded, it took at least 10 days for classes to be restored.5 Both incidents were used to justify the inclusion of higher education and research in the Critical Infrastructure Bill. At the time, Home Affairs deputy secretary of national resilience and cybersecurity Marc Ablong pointed out that “The threat is very real,”6 and that, as we in the cybersecurity industry are noticing, the higher education sector, like many others, had failed to realise it was not deeply considering cyber risk. “It is getting a lot.. harder, even for very sophisticated organisations,” Mr Ablong said in relation to managing cyber risk.7 Australian organisations must further realise that a severe tightening of both current and proposed regulations around their cybersecurity is imminent. Laws here will undoubtedly follow the progression of those overseas. Right now, public companies in the US are perusing the latest rules proposed by the Securities and Exchange Commission (SEC) aimed at bolstering cybersecurity-related disclosures.8 If enacted, the SEC rules would require public companies to: Report material cybersecurity incidents within four business days of them coming to pass. Routinely update investors on such incidents in their quarterly and annual reports – which means no more sweeping an incident under the carpet to avoid dips in share prices, and such. Determine whether immaterial cybersecurity are material in the aggregate and, therefore, to be disclosed in quarterly and annual reports. Periodically disclose the status of the company’s cyber-related risk management policies and procedures. Measures such as the above are a big step up from the current 30-day reporting requirement for eligible data breaches imposed here by the Office of the Australian Information Commissioner (OAIC). So too is Europe’s General Data Protection Regulation (GDPR) which states an organisation must report a notifiable breach to the ICO without undue delay, no later than 72 hours – or 2 days – after becoming aware of it. Should it take longer, reasons must be given. We cannot emphasise more strongly the significance of taking even the most basic steps to bolster cyber defences. General technical knowledge of typical IT management teams is rarely enough in this regard as cybersecurity is a business risk, not an IT problem. The impact of an incident is not an IT outage but operational, including financial losses and reputational damage, not to mention the increasing threat of litigation. To mitigate these risks, expert advice needs to be sought. The federal government will unlikely back down on its push to strengthen the country’s cyber defences and with organisations deemed critical infrastructure, effectively on the front line, becoming compliant with the new regulations easily outweighs the impact of dealing with an inevitable cyber breach. [1] Australian Government Department of Home Affairs, Protecting Critical Infrastructure and Systems of National Significance (2020) <https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/protecting-critical-infrastructure-systems> [2] Visentin, L., Private hospitals warn some ICUs could close due to cybersecurity costs (16 March 2022) Sydney Morning Herald <https://www.smh.com.au/politics/federal/private-hospitals-warn-some-icus-could-close-due-to-cybersecurity-costs-20220316-p5a53r.html> [3] Townsend, K., Court Awards Merck $1.4B Insurance Claim Over NotPetya Cyberattack (24 January 2022) Security Week <https://www.securityweek.com/court-awards-merck-14b-insurance-claim-over-notpetya-cyberattack> [4] Barbaschow, A., University 'hacks' as a justification to include the sector in Critical Infrastructure Bill. (12 March 2021) ZSnet <https://www.zdnet.com/article/university-hacks-as-a-justification-to-include-the-sector-in-critical-infrastructure-bill/> [5] Ibid. [6] Ibid. [7] Ibid. [8] Alston & Bird, SEC Proposes Sweeping New Cybersecurity Disclosure Rules for Public Companies (16 March 2022) <https://www.jdsupra.com/legalnews/sec-proposes-sweeping-new-cybersecurity-6305666/>