Modern Slavery and Human Trafficking Statement | Accessibility | Legal and Regulatory | Privacy Policy | Report Fraud | Whistleblowing
SURVEY
© Herbert Smith Freehills 2022
01
of respondent boards have not settled on a Formal position regarding
48%
ransom payments
of businesses hold cyber insurance
70%
From engaging regulators, the board and government to managing communications and compliance, the list of responsibilities has grown long
Tel +61 0 0000 0000
Partner
Merryn Quayle
Email
PARTNER and APAC Head of Cyber Security
Cameron Whittfield
Where the real problem lies
Mind Blowing Money
05
Lorem ipsum sit dolor
Barriers to Scalability
04
The rising importance of "the S"
The ESG Premium
03
The challenges and legal hurdles
Rethinking Risk
02
Executive Summary
Unlocking ESG Investment in Australia
Contents
40%
As a wealthy nation committed to digitalisation, Australia is a prime target for a new wave of cyber threat actors. The consequences of cyber-attacks are soaring, along with their scale, frequency and sophistication. Encryption events can bring businesses to a standstill. Data breaches undermine consumer confidence and cause real harm through identity theft and financial loss. There is even the potential for operational shutdowns to bring vital infrastructure such as hospitals, airports and utilities to a halt. Compounding matters, our adversaries are continually adapting and looking to leverage new capabilities such as generative AI. Historically, the task of coordinating cyber incident response fell to an organisation’s IT security team under the oversight of its Chief Information Officer (CIO) or Chief Information Security Officer (CISO). Today, the unmistakeable trend is that lawyers are joining them at the forefront of the response. When a crisis occurs, more lawyers are taking on the high-pressure role of ‘breach coach’. This involves coordinating critical activities such as engaging with the board, government, regulators and insurers, assessing operational impacts, reviewing compromised data, ensuring regulatory and contractual compliance, overseeing communications and executing a cyber extortion response strategy. Failure to appropriately manage these workstreams can have significant legal and regulatory ramifications. Until now, qualitative research has focused largely on the views of boards, a variety of executives and technology teams, rather than the legal leaders so often front-and-centre when a cyber-attack occurs. In 2023, Herbert Smith Freehills decided to take a fresh perspective. We conducted a landmark survey of over 120 legal leaders from businesses based in Australia. More than 67% of respondents held the position of General Counsel or equivalent, while 51% of the surveyed organisations were ASX-listed entities, 71% had international operations and more than 33% had in-house legal teams with 25 legal staff or more. Sectors represented included financial services, consumer goods and retail, energy, technology, media, telecommunications, transport, healthcare, pharmaceutical, infrastructure and resources. This report highlights some of the survey’s most fascinating – and sobering – findings. It is supported by insights from our firm’s industry-recognised experts across the Asia-Pacific region in cyber, corporate, disputes resolution and insurance. Overall, while organisations have recognised the need to increase cyber resilience and have taken some positive steps, there is still much work to do.
Read the Digital report
These findings are from a survey designed and run by Herbert Smith Freehills. Data was gathered from 2 June to 3 August 2023. The survey was anonymous and promoted widely to in-house legal teams in Australia, including via LinkedIn.
With special thanks to all contributors who provided their valuable time and insights and helped bring this report into fruition.
CONTRIBUTORS
Herbert Smith Freehills would like to acknowledge the Traditional Owners of the land where our Australian offices are based. We would also like to acknowledge Elders past, present and emerging. We seek to foster a culture of friendship and partnership between Herbert Smith Freehills and Aboriginal and Torres Strait Islander peoples, organisations and communities.
Acknowledgement of Country
cYBER rISK aDVISORY lEAD
Phillip Magness
PARTNER
Christine Wong
However, very few rely on rating agencies to calculate ESG benefits of an investment
5
<
Two thirds of respondents stated that their due diligence processes explicitly includes ESG considerations
66
ESG factors in decision making were deemed very important or critical by the majority of respondents
58
80%+
HAVE Conducted or plan to conduct
an ESG Review
Modern slavery
Emissions reduction
of Australian businesses have been directly impacted by a cyber attack
1/4
in last 2 years
Have abandoned or delayed investment proposals
say they face barriers to increased esg-aligned investment
58%
25
increased ESG investment plans Following change in federal government
%
Regulatory uncertainty and inconsistency Cited as the only barrier unique to Australia
Ranging between now and 2050
Net Zero commitment
60%
say Commitments
don't reflect indirect Scope 3 Emissions
Australia
Globally
35%
50
US$
>
Trillion by 2025
Total assets under management
Total market
43%
1.54
A$
trillion
25%
of businesses surveyed have been directly impacted by a cyber AttacK
would not engage a law firm from an insurer’s panel who is not their usual adviser
85%
Australian organisations face a perilous, rapidly evolving cyber threat landscape. Over the last 12 months, the national discourse has shifted into hyperdrive in the wake of global geopolitical instability and a spate of high-profile attacks. Businesses are also subject to increased regulatory scrutiny as well as growing expectations from government, consumers and other stakeholders.
122
in-house legal leaders from Australian Business
67%
General counsel or equivalent
Aged data stores
3
Third party risk
2
Reputational risk
1
aspects of cyber risk that are of greatest concern
Top 3
47%
have held a board cyber simulation
38%
of respondent legal teams have not yet participated in a cyber simulation
But only 19% have a legal-specific cyber response plan or playbook
Most have a cyber incident response plan
90%
19%
of respondents have an individual tasked with covering data and cyber risks
now have a resource dedicated solely to these risks
21%
11%
of respondents impacted by aN extortion demand
paid a ransom
Media
Tech
Financial institutions
5 most impacted sectors
Top 5
Consumer goods
Pharmaceutical
find regulations helpful to guide internal policy and investment
68%
expressed concern about their organisation's
data collection and retention practices
42%
believe we do not need more
79%
most impacted
sectors
Lorem ipsut sit dolor
So what is the key?
07
06
= Competitive Advantage
Emerging themes in insurance and regulation
Empowering legal teams to tackle cyber-attacks
Lorem ispum sit dolor
Are you cyber ready?
Lorem ipsum
The buck stops here
On the front lines Views from in-house legal teams on cyber risk
Regulators have sent directors a clear message
Next Chapter
Cyber insurance
Demands
Resourcing and responsibility
Cyber simulations
Download the PDF
32%
have cyber expertise on the board
believe cyber is a CIO risk to own
Legal updates
CYBER AND DATA SECURITY
Cyber risk advisory
See how we can help you
Related resources
Cyber and Privacy Initiatives
Australian Federal Budget 2023-24
Regulatory Activity and Class Claims in Australia
Surging Cyber Incidents
AT THE GATES – HOW TO SURVIVE THE ERA OF CYBER INSECURITY
TECHQUAKE
Starts to take shape
2023-2030 Australian cyber security strategy
Related reading
+61 3 9288 1625
Emma Iles
+61 2 9225 5242
JOINT GLOBAL HEAD OF INTELLECTUAL PROPERTY
Rebekah Gay
+61 3 9288 1395
Cyber Risk Advisory Lead
+61 3 9288 1474
Director, ALT Australia
Emily Coghlan
+61 2 9225 5784
Tony Damian
+61 2 9225 5475
+61 3 9288 1058
Managing Partner, Corporate
Carolyn Pugsley
+61 2 9225 5561
Anne Hoffmann
Key contacts
+61 3 9288 1531
Partner – APAC Cyber Security Head
+61 3 9288 1779
Priscilla Bryans
+61 2 9225 5588
Peter Jones
+61 3 9288 1499
+61 3 9288 1260
Senior Associate
Heather Kelly
+61 3 9288 1541
Solicitor
Maddison Ryan
Download PDF
As a wealthy nation committed to digitalisation, Australia is a prime target for a new wave of cyberthreat actors. The consequences of cyber-attacks are soaring, along with their scale, frequency and sophistication. Encryption events can bring businesses to a standstill. Data breaches undermine consumer confidence and cause real harm through identity theft and financial loss. There is even the potential for operational shutdowns to bring vital infrastructure such as hospitals, airports and utilities to a halt. Compounding matters, our adversaries are continually adapting and looking to leverage new capabilities such as generative AI. Historically, the task of coordinating cyber incident response fell to an organisation’s IT security team under the oversight of its Chief Information Officer (CIO) or Chief Information Security Officer (CISO). Today, the unmistakeable trend is that lawyers are joining them at the forefront of the response. When a crisis occurs, more lawyers are taking on the high-pressure role of ‘breach coach’. This involves coordinating critical activities such as engaging with the board, government, regulators and insurers, assessing operational impacts, reviewing compromised data, ensuring regulatory and contractual compliance, overseeing communications and executing a cyber extortion response strategy. Failure to appropriately manage these workstreams can have significant legal and regulatory ramifications. Until now, qualitative research has focused largely on the views of boards, a variety of executives and technology teams, rather than the legal leaders so often front-and-centre when a cyber-attack occurs. In 2023, Herbert Smith Freehills decided to take a fresh perspective. We conducted a landmark survey of over 120 legal leaders from businesses based in Australia. More than 67% of respondents held the position of General Counsel or equivalent, while 51% of the surveyed organisations were ASX-listed entities, 71% had international operations and more than 33% had in-house legal teams with 25 legal staff or more. Sectors represented included financial services, consumer goods and retail, energy, technology, media, telecommunications, transport, healthcare, pharmaceutical, infrastructure and resources. This report highlights some of the survey’s most fascinating – and sobering – findings. It is supported by insights from our firm’s industry-recognised experts across the Asia-Pacific region in cyber, corporate, disputes resolution and insurance. Overall, while organisations have recognised the need to increase cyber resilience and have taken some positive steps, there is still much work to do.
© Herbert Smith Freehills 2023
+44 20 7466 2773
Global Head of Cyber Security
Andrew Moir
09
08
Cameron Whittfield Partner and APAC Head of Cyber Security
We are dealing with attacks from cyber criminals based in foreign jurisdictions. Few people have been educated or trained to deal with this type of threat before and corporates are grappling with this new paradigm in real time”
It should always be remembered that businesses subjected to a cyber-attack are the victims of a crime. As noted by Cameron Whittfield, Partner and APAC Head of Cyber Security at Herbert Smith Freehills, “we are dealing with attacks from cyber criminals based in foreign jurisdictions. Few people have been educated or trained to deal with this type of threat before and corporates are grappling with this new paradigm in real time”.
This is a fast-evolving area of law where general principles may apply but the circumstances of every business and industry are different. Damian notes that the duty of a board is to ask how their organisation is addressing “foreseeable non-financial risk” in the way that ASIC and the law require. “Have we done everything we can as a board, in case there are hostile actors trying to get into our systems, shut us down and take our data?” he asks. “That’s the legal duty and from there you can plot a pretty good roadmap of how a board can do its job, make sure the company is ready and prepared, and sleep well at night.”
1 Latitude Group Holdings, 18 August 2023, ‘ASX Announcement’. 2 https://asic.gov.au/about-asic/news-centre/speeches/chair-s-remarks-at-the-aicd-australian-governance-summit-2023/ 3 Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].
Lorem ipsum sit dolor amet
Tony Damian Partner
Have we done everything we can as a board, in case there are hostile actors trying to get into our systems, shut us down and take our data?”
Nonetheless, while affected organisations would once have been met with sympathy, it is clear that this has changed. Regulators now believe organisations have had ample warning to improve their security and prepare for incidents when they arise. Effective preparation enables an organisation to fulfil its legal obligations, limit regulatory and litigation risks, as well as to protect individuals and shield itself from reputational damage. As an indication of the costs that businesses can face, Latitude Financial reported $76 million of pre-tax costs and provisions related to the cyber-incident in March this year. The Australian Prudential Regulation Authority (APRA) also imposed an increase on Medibank’s capital adequacy requirement of $250 million following its cyberincident in November 2022. We note that various consequential impacts are also playing out with the regulators and in the courts.
Malcolm Haack Group General Counsel and Chief Compliance Officer, Orica
The role of the legal leaders in any company in managing cyber security risk is critical, whether it be working with the company’s IT and data security internal and external teams, updating the board and senior management on latest trends, making it a priority for the relevant stakeholders, or seeking to mitigate risks contractually. Cyber risk is a real risk for all businesses and is here to stay.”
Amidst rapid technological change, an evolving regulatory landscape and a patchwork of regulators zeroing in on cyber resilience, organisations must recognise that accountability ultimately sits with the board. The Australian Securities and Investments Commission (ASIC), the Office of the Australian Information Commissioner (OAIC) and APRA have all emphasised the requirement for boards to have a clear understanding of their organisation’s cyber resilience as a fundamental component of business risk management. This sentiment was reinforced at the Australian Institute of Company Directors’ Australian Governance Summit on 2 March 2023 where ASIC Chair Joseph Longo emphasised that cyber preparedness is squarely a board-level issue. “How the board ensures sufficient oversight of threats, vulnerabilities and mitigating controls will set the tone for the cyber resilience of an organisation,” he said . Under the Corporations Act 2001 (Cth), directors must discharge their duties with care and diligence. In practice, ASIC’s view is that boards need to address reasonably foreseeable non-financial risks. “If ever there was such a risk, cyber risk falls into that description quite nicely,” says Tony Damian, Partner at Herbert Smith Freehills and trusted adviser to many Australian boards. Reiterating the judgment of Justice Helen Rofe in ASIC v RI Advice Group Pty Ltd, Whittfield adds that it is not possible to reduce the chances of a cyber-attack to zero. Rather, it is the role of the board to make a risk-based assessment and set the company’s risk appetite so decisions can be made on investment in security, people and processes.
The importance of cyber crisis simulation exercises
Boards that are educated in cyber security matters are better able to fulfil their legal responsibilities. Of the respondents, 68% indicated that their boards do not have directors with specialist cyber expertise. This is not surprising given this skillset is currently being built out, in real time, at both an executive and board level.
OF RESPONDENTS SAY THEIR BOARDS HAVE NOT YET HELD A CYBER SIMULATION EXERCISE
28
SAY THEIR BOARDS NOW HAVE CYBER EXPERTISE
32
Staging a simulated cyber-attack is a key way for organisations to test their incident response, yet 28% of respondents indicated their board had not yet done so. In reality, this could be higher, as an additional 25% of respondents had no visibility of this aspect of their organisation’s cyber resilience strategy.
Our experience is that many well-prepared boards are upskilling, seeking external cyber security advice and testing to see how well internal systems and processes hold up. “If a board had not turned their mind to this, not even asked management what is being done and then there is a cyber-attack, I think in those circumstances there is not much debate the board has not complied with its statutory and common law duties to act with care and diligence,” Damian says. He observes that the finding that 28% of boards are yet to hold cyber simulation exercises illustrates that some companies are not as prepared as they could be, and as ASIC and other regulators may expect them to be. “Companies might be doing other good things, but it’s an important statistic because it indicates we haven’t quite matched our awareness with action. It raises the question of how ready we are.”
Nonetheless, formal qualifications and specific experience are not ultimately required. What matters is that directors have access to the relevant information to understand the cyber risks relevant to their organisation. It is also important they can call upon appropriate expertise to assess and inform key decision-making relevant to those risks. This may come from a source at the executive level such as the CIO, CISO, General Counsel, or from external advisors. As Whittfield observes, the key issue is whether companies are prepared. “Expertise for the board is less about who sits on the board than the information they are getting and the processes they are following to fulfil their duties. Boards need to understand the risk and the company’s security posture, and based on this they can set the company’s risk appetite. Understanding the answer to a question is as important as the question itself,” he says. In encouraging findings, 75% of survey respondents said their boards had been educated about cyber risk in the past 12 months. Only 7% said their board had never been educated at all. Board education levels were significantly higher among listed companies, reflecting the higher level of market disclosure obligations, public scrutiny and analyst coverage these organisations attract.
While questions of legality are important, directors also have to consider a range of commercial, practical and reputational matters to discharge their directors’ duties Acknowledging the extreme sensitivity of this position, our survey indicates that many boards have not settled on a formal position regarding ransom payments. For many company lawyers it remains unclear whether the board would be open to payment.. “There is a lack of clarity at board and management level about how different factors should be prioritised by a particular business,” Wong says. “Some organisations have done that work and have very detailed models, whereas with others it’s quite reactive.”
Of those surveyed businesses that had been impacted by an extortion event, just 11% paid a ransom demand. This low percentage is consistent with recent findings from the global incident response firm, Coveware, reporting that “in the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%”.
1 Coveware, July 2023, ‘Ransom monetization rates fall to record low despite jump in average ransom payments’.
OF RESPONDENTS IMPACTED BY A CYBER EXTORTION DEMAND PAID
11
OF RESPONDENTS SAY THEIR BOARDS HAVE NOT GIVEN MANAGEMENT FORMAL GUIDANCE ON THEIR EXTORTION PAYMENT VIEWS
OF RESPONDENTS SAY THEIR BOARD HAVE NOT SETTLED ON A FORMAL POSITION REGARDING RANSOM PAYMENTS
48
... Companies might be doing other good things, but it’s an important statistic [28% of boards yet to hold cyber simulation] because it indicates we haven’t quite matched our awareness with action. It raises the question of how ready we are”
In our experience, cyber simulation exercises can help both management and boards prepare for the rhythm and challenge of a crisis. First, these simulations often show that the board may not be able to convene or form a quorum quickly enough. As a result, they may need to create a sub-committee or some other form of delegated authority. Second, only a small number of key decisions likely require escalation to the board. While it varies by organisation, boards are typically involved where there are complex regulatory issues around continuous disclosure, significant financial and reputational impacts and discussions about whether to pay a ransom demand. Third, important differences of opinion may exist between board and management on issues such as ransom payments, communication strategies and the level of market disclosure required. Cyber simulation exercises bring these matters to the fore. They can be constructively debated and resolved in advance of a crisis, to the extent foreseeable. Although each incident will present unique facts and challenges, pre-considering some key issues that are likely to arise will assist the board’s interaction with management when faced with a real-life cyber-attack. “When you put management or a board through a simulation, they get to exercise or test their cyber crisis response. Key issues can be considered in advance, and this preparation can be incredibly valuable when an actual incident occurs,” Whittfield says. Conducting a cyber simulation exercise is far from the only step a management team or a board should take to address foreseeable non-financial risk. What is reasonable will depend on the particular circumstances of a company and its industry. Some businesses will have a large data footprint to manage, while for others, ensuring protection against operational impacts will be key.
Christine Wong Partner
There is a lack of clarity at board and management level about how different factors should be prioritised by a particular business”
" Expertise for the board is less about who sits on the board thanthe information they are getting and the processes they are following to fulfil their duties. Boards need to understand the risk and the company’s security posture, and based on this they can set the company’s risk appetite. Understanding the answer to a question is as important as the question itself,”
When you put management or a board through a simulation, they get to exercise or test their cyber crisis response. Key issues can be considered in advance, and this preparation can be incredibly valuable when an actual incident occurs”
These figures may come as a surprise to many, but they are broadly consistent with our own professional experience. As companies build cyber resilience (including through effective back-ups, improved recovery solutions and business continuity planning), they are able to better manage any encryption event. And, in our experience, those companies dealing with a data breach alone are unlikely to pay. Ransom discussions are complex and typically require elevation to the board. “You want to get legal advice on what is the current state of the law. However, the devil is always in the detail when it comes to the legality of a payment applied to the specific facts,” says Christine Wong, Partner at Herbert Smith Freehills with specialist expertise in regulatory matters and investigations. There are several situations where paying a ransom can itself be an offence – for example, if the organisation or entity receiving the funds is sanctioned. This is a strict liability offence. Without a valid defence, anyone who has facilitated the payment such as the Chief Executive Officer (CEO), Chief Financial Officer (CFO), CIO or third-party advisor could be found an accessory to the crime. In addition, instrument of crime or terrorism financing offences may be activated.
Henrietta Rowe Group General Counsel and Company Secretary, Ramsay Health Care
Managing cyber risk and preparing for an incident is a collective effort – it’s not just the domain of risk and legal functions, but requires the involvement of the executive team and Board and can be supported by trusted external advisors. Management and Board cyber simulations have proved an effective way of getting all the key stakeholders together to reflect on the issues that will need to navigated in the event of an incident and identify ways to build cyber resilience.”
has your board held a cyber simulation?
Emily Coghlan, Director, Alternative Legal Services, Australia at of Herbert Smith Freehills agrees: “It is critical for an organisation to be across its data footprint and have a robust and defensible process to manage the data associated with a breach”. Businesses faced with exponentially growing data volumes must understand how this data is stored, secured and destroyed once it is no longer required. This extends to understanding how data is shared and managed by external parties. Many organisations provide highly sensitive commercial content to third and fourth-party service providers while conducting business. “These vendors are often the weakest link in the data management chain, and security controls must be implemented to manage these relationships and risks,” Coghlan says. The vulnerability to third-party providers has played out in a number of recent cyber incidents including the Accellion, GoAnywhere MFT and MOVEit attacks. Diligent front-end preparations are highly valuable if a cyber-attack occurs. An affected organisation needs to understand exactly what data has been accessed or exfiltrated, the impact to individuals, the legal ramifications of this, and potential exposure to regulatory and litigation risk. The vulnerability to third-party providers has played out in a number of recent cyber incidents including the Accellion, GoAnywhere MFT and MOVEit attacks. Diligent front-end preparations are highly valuable if a cyber-attack occurs. An affected organisation needs to understand exactly what data has been accessed or exfiltrated, the impact to individuals, the legal ramifications of this, and potential exposure to regulatory and litigation risk. As an example of how rapid response can work in practice, Coghlan’s team can be quickly mobilised to help clients retrieve and interrogate compromised data following a breach. “Once you have that compromised dataset, a key focus is determining what personal and commercially sensitive information it may contain,” she says. “You do this by engaging a team of data breach analytics experts to manage the review workflow – often through bespoke tools which increase the efficiencies of the review process.” Businesses can then notify stakeholders as needed and focus on managing the regulatory, financial and reputational fallout.
EMILY COGHLAN DIRECTOR, ALTERNATIVE LEGAL SERVICES
It is critical for an organisation to be across its data footprint and have a robust and defensible process to manage the data associated with a breach”
Our survey suggests that businesses remain focused on data collection and retention. While 85% of respondents have a data retention policy in place, a notable 42% expressed concern about their organisation’s data collection and retention practices. “One of the best ways to reduce the impact from a data breach is to reduce your attack surface,” Whittfield explains. “So, you must ask yourself, ‘What information are we collecting and why? How long are we keeping it? And once we’ve achieved the purpose for which we collected it, why are we still holding onto it? Organisations need to ensure they’re not sitting on troves of data unnecessarily.”
We found that 70% of respondents view cyber security as the primary responsibility of the organisation’s CIO or CISO. This is not surprising given the executive ownership of cyber security often rests with the CIO.
Take ownership
An ASX-listed company may be obligated to publicly disclose cyber incidents that may affect its share price. However, the duty to report a cyber incident depends on its nature, scale and severity. Our survey finds that 29% of respondents impacted by a cyber incident did not make a public statement. This should not be surprising as many events can be appropriately managed with minimal impact. In July 2023, the US Securities and Exchange Commission adopted new rules requiring disclosure of material cybersecurity incidents and annual reporting of cybersecurity risk management, strategy, and governance. While similar obligations do not exist in Australia, we note there is increasing community and regulator expectation that cyber incidents are publicly disclosed.
Whittfield notes that a legal-specific response plan or playbook might involve several critical steps, including establishing engagement protocols, coordinating regulatory notifications, managing insurance obligations and engaging with customers, suppliers, investors and other stakeholders. “You look at all the different moving parts in the aftermath of an incident and each one has a legal component,” he says. If the breach requires key customer services or accounts to be shut down or impacts customer data, effective communication is vital. Wong notes “there should be a focus on factual and consistent messaging”. It’s also important for the business to be clear on what documents might be disclosable in a class action or regulatory investigation. This is because legal professional privilege won’t necessarily apply; best practice is to record matters factually, and not speculate or offer unnecessary commentary.
Our survey found that 90% of respondents have a cyber incident response plan, but only 19% have a legal-specific response plan or playbook. The consequence for legal teams is that they may not have key information at their fingertips in the critical minutes and hours after an incident occurs.
EXPRESSED CONCERN ABOUT THEIR ORGANISATION’S DATA COLLECTION AND RETENTION PRACTICES
42
OF RESPONDENTS HAVE AN INDIVIDUAL TASKED WITH COVERING DATA AND CYBER RISKS
One of the best ways to reduce the impact from a data breach is to reduce your attack surface”
NOW HAVE A RESOURCE DEDICATED SOLELY TO DATA AND CYBER RISKS
21
PHILLIP MAGNESS CYBER RISK ADVISORY LEAD
Our clients are taking a proactive role in preparatory activities where they soon learn if their plans and playbooks are fit for purpose or not”
David Brewster Chief Legal & Safety Officer, Coles Group
I think we made the right decision for our crisis response team to sit within the legal function, and be managed by a former lawyer from a top tier firm. Lawyers are good at spotting risks, and also at translating what can be complex IT jargon about a cyber event into a format that Boards, operations and corporate affairs teams can digest rapidly to make decisions.”
We note, however, that cyber risk is an enterprise-wide risk. Various critical functions across the organisation, including legal, compliance and risk, corporate affairs, public relations and human resources, serve an important role in deciding the best course of action. In our experience, particularly working with ASX-listed clients, a legal lens needs to be applied not just to preparations before an attack, but in the complex aftermath of an incident where many regulatory and litigation risks may be in play. This is why legal teams, given their level of visibility and engagement, are often uniquely positioned within the organisation to coordinate the overarching response and ultimately serve as the ‘breach coach’. We are also seeing a change in focus within the legal teams themselves. Based on our survey, 58% of respondents have an individual tasked with covering data and cyber risks and 21% now have a resource solely dedicated to these risks.
Kate Carlile Chief Legal Officer, Toll Group
We recognise the need for our team to have data and cyber expertise. If an attack occurs, the legal team play a very significant role. We have sought to ensure we have cyber and data expertise within our team and those team members are involved in all of our company-wide cyber preparations.”
But only 19% have a cyber response plan
Jesse Gleeson Head of Legal, Technology, National Australia Bank Limited
NAB Legal plays a critical role in our cyber readiness and response program, working closely with our risk, crisis and security colleagues. We are also responsible for negotiating robust contractual controls to strengthen the security of our supplier ecosystem. This all requires strong teamwork and relationship building (within NAB, across industry and with government), along with a commitment to continuous learning and improvement. The threat environment is evolving continuously and rapidly, and so must we.
When considered alongside our survey finding that 38% of respondent legal teams have never participated in a cyber simulation exercise, many legal teams may be significantly under-prepared for a material, time-sensitive cyber-attack. As Phillip Magness, Herbert Smith Freehills APAC cyber risk advisory lead observes, “you’ve got a percentage that don’t have a plan and a percentage that have never experienced even a mock exercise. The clients we work with recognise this. They are taking a proactive role in preparatory activities where they soon learn if their plans and playbooks are fit for purpose or not.”
Despite the above, we understand that only 20% of Australian SMEs hold cyber insurance. Many companies are also looking to self-insure, particularly as premiums, exclusions and retention amounts impact on the value proposition. For Anne Hoffmann, Partner at Herbert Smith Freehills specialising in cyber insurance claims, the first priority is for organisations to be across their insurance program and to fully understand which policy will respond to which loss. The effects of a cyber incident can vary markedly, from incident response costs to business interruption, reputational damage, and regulator or class action risk. This means different policies may come into play. Businesses are well advised to work with their brokers to ensure their cover reflects what they believe they have. “I have seen time and again that companies are surprised by what their policies cover and what they do not. And that is not a situation you want in the aftermath of a cyber incident,” Hoffmann says. Another important finding from our survey is that 85% of respondents intend not to use a law firm from their insurer’s panel that is not their usual adviser. Instead, they are seeking legal advice from existing advisers. “Notwithstanding the number of companies that hold cyber insurance, many companies want to be advised by their existing advisors. Those who understand their business, people, processes and risk appetite,” Whittfield says. “They also want to be supported before, during and after an event, including in the claim process itself, not just for the immediate incident triage.” Using an existing trusted adviser also helps mitigate any potential conflict of interest between the policyholder and insurer on the extent of coverage or the direction of any incident response. As Whittfield notes, "this is an issue getting increasing focus at a board level as companies look to ensure they have absolute independence of advice”. However, if the vast majority of respondents are looking to engage their existing advisers, it is important they take preparatory steps prior to an incident. “We often seek pre-clearance from insurers to ensure there are no coverage issues in relation to our engagement if an event occurs,” he adds.
According to our survey, 70% of respondents hold cyber insurance. While this might seem like a high proportion, we believe it reflects the overall maturity of those surveyed. Furthermore, while many large organisations have invested in internal expertise and have their own protocols to handle cyber threats, we note that other companies are taking out cyber insurance to ensure they have ready access to incident response support.
Given that cyber security is often a multinational issue and many Australian companies have international operations (including 71% of the respondents to our survey), many organisations already deal with regulatory regimes across multiple jurisdictions. This is in addition to oversight from ASIC, APRA, the Australian Competition and Consumer Commission (ACCC), ASX, OAIC, industry bodies and other government agencies. “We’ve got a complex threat environment, a complex supply chain, digitising businesses and an overlay of complicated regulations. There is a general sense of regulatory fatigue,” Whittfield says. Simplifying regulation would be preferable to “compounding more on top of organisations”, he believes. Magness adds that increased government guidance, as opposed to regulation, would be easier to update in an evolving threat landscape. “It would help Australian businesses understand what good cyber security looks like.”
The insurance tightrope
Regulation can play a useful role in uplifting cyber resilience. Currently, the Australian Government is developing an update to its national cyber security strategy, and this may herald material legislative reform. We believe it is likely to draw upon recent developments overseas, including in Europe and the US.
BELIEVE WE DO NOT NEED MORE REGULATION
79
OF RESPONDENTS SAY THEY WOULD NOT ENGAGE A LAW FIRM FROM AN INSURER’S PANEL that IS NOT THEIR USUAL ADVISER
85
OF SURVEYED BUSINESSES HOLD CYBER INSURANCE
70
ANNE HOFFMANN PARTNER
I have seen time and again that companies are surprised by what their policies cover and what they do not. And that is not a situation you want in the aftermath of a cyber incident”
Based on our survey, 68% of respondents say that regulations have been helpful when guiding internal cyber security policies and investment, and 79% do not want to see further regulation. This suggests that the right balance has been struck. We note that respondents from the energy and financial services sectors – both of which are conditioned to high regulation – appear more open to additional regulatory requirements than those from other sectors.
Key contact
The roll out of the strategy will be in two-year blocks, starting with the period until 2025 which is focused on building the foundations for the strategy. Each two years, focus will move to the next phase of the plan. In questions that followed the keynote, Minister O’Neil managed to avoid a discussion on the Optus breach and focused on technology standards, the need for bipartisan support and cyber education.
On 18 September, the AFR hosted its inaugural Cyber Summit. A veritably who’s who of the cyber security world met for one day to discuss some of the most pressing cyber issues confronting Australian businesses.
Based on his experience leading Telstra, and in the context of the Optus attack, the best person to protect customers is the customer themselves. Pass information to the customer as soon as possible (so they can take steps to protect themselves). In terms of incident response, you have to be prepared to say “I don’t know”. It is sti important to share what you do know, commit to keep customers updated. Get out on the front foot, be honest, authentic and keep people updated. In terms of cyber expertise on boards, they need time to consider the conceptual risks and need to ask the right questions. Given this, they need to invest in the right knowledge. Cyber is not that different to other risks that the board has to manage and some are other technology risks are also pressing e.g. access to key technologies.
Keynote address: Minster Clare O’Neil MP
Minster Clare O’Neil MP
In a more relaxed context, Andy Penn shared his thoughts on what we may expect from the strategy. We summarise the key points from the discussion. It is not surprising we are confronting this new criminal paradigm. Criminal activity has followed us online but the challenge we face is that traditional criminal dynamics do not apply. Proximity is not required and the flow-through impacts mean that criminal activity is more complex, more prevalent and easier to execute. Government has to hold itself to account, to same level as business. Directors duties don’t need to mention ‘cyber’ for us to pay attention, but they need help to understand what constitutes “taking reasonable steps”. This is not about guaranteeing there are no cyber incidents, but they need to understand what ‘reasonable steps’ in the context of nature of the business and data they hold.
We take a closer look at the keynote addresses, including material announcements by the Minister for Cyber Security, Clare O’Neil, chair of ASIC, Joe Longo, the head of the Governments Cyber Advisory Panel, Andy Penn, and the National Cyber Security Coordinator, Air Marshall Darren Goldie.
Protect critical infrastructure and ensure that government lifts its own cyber defences.
Protecting critical infrastructure
Threat intelligence exchanged between government and business in real-time and threats blocked before they cause harm.
Threat sharing and threat blocking
Clear standards for digital safety in products from design / inception and an assurance that digital products meet these standards.
Safe technology
The need for citizens and business to understand the cyber threat, understand the actions required to protect themselves and have support in place so that when they are the victim of cyber-attack.
Strong citizens and businesses
Acknowledged many of the macro shifts impacting cyber security, including the internet of things, machine learning and AI, and geopolitical circumstances. Looked back on the Government’s work to date, including (amongst other things) the privacy reforms of late 2022, the activation of the risk management rules (for SOCI regulated assets), the establishment of the Office of the National Cyber Coordinator, the national strategy for identity resilience and the declaration of critical infrastructure assets as systems of national significance. We do not have the proper support in place to be able to implement an outright ban on ransom payments. Acknowledged that small business remains a key focus and many do not know where to start. The Government intends to take a lead in this regard, partnering with small business to address this problem. The Cyber Security Strategy will be structured based on six cyber shields. The strategy is likely to be rolled out over a number of years (and potentially with different Governments), so the need for bipartisan support is clearly important.
Ensure Australia is appropriately skilled and adaptable to make sure that we are getting the ‘benefits’ out of what this problem presents to the country.
Sovereign capability
Undertaking coordinated global action and pushing for a more resilient region, through Foreign Affairs, with a particular focus on partnerships to assist other countries in the region.
Resilient region
A discussion with Andy Penn, head of the Cyber Advisory Panel
Andy Penn, head of the Cyber Advisory Panel
Guidance will be incredibly helpful, but there is no need for an ‘avalanche’ of new laws. With the acceleration of technology and digitisation of the physical world, we need to address more than just data, but also the potential for disruption of physical assets. The evolution of threats using artificial intelligence means that we will invariably be dealing with more sophisticated attacks and / or social engineering. But this sophistication can also apply to our defences, so we have ana arms’ race of sorts. Directors need to know what they need to do to discharge their obligations and take reasonable steps. In this regard, they need practical guidance which addresses cyber maturity (potentially against a recognised standard), the ‘five knows of data’ (a throw-back to a set of data requirements published by Telstra more than a decade ago) and a recovery plan that deals with incident response.
One of the ways we prepare to manage and mitigate future attacks is through “tabletop” – or sometimes even – “cyber range” scenarios. Exercises help identify areas for improvement or additional investment, developing relationships between organisations and individuals that will pay off during an actual incident. We need a shift in our national culture. The private sector needs to improve their governance, including audits and risk assessments and in the development of their own policies, training, practices and their own cyber security education and cultures. This mindset needs to flow down to individuals in their uptake of simple home defences. The path forward necessitates everyone lifting their level of self-sufficiency.
Focused on listening and learning, tapping into the network of cyber professionals across a range of sectors and everyday Australians. In October, the focus will shift to international partners, ensuring we are learning cyber lessons in parallel and sharing best practice. Part of the focus has also been the process of “incident management”. We should rehearse and practice, sharing lessons and improving our readiness. If we don’t, we are doomed. The Commonwealth’s response to a cyber-incident involves the coordination of a number of agencies, in particular the role of the Australian Cyber Security Centre and the Australian Federal Police. Collaboration through ‘Joint Standing Operation AQUILA’ seeks to investigate, target and disrupt priority cybercriminal syndicates which cause high harm and threaten our national interests. The AFP-led Joint Policing Cybercrime Coordination Centre brings together the legislative powers, experience, and investigative and intelligence capabilities of all Australian policing jurisdictions. Home Affairs’ consequence management unit is maturing and focuses on the broader consequence of a cyber-incident. Its role is to support impacted organisations to connect and engage with the array of Government agencies. Recent breaches highlighted that our national response could have been better coordinated. Re. the HWL Ebsworth breach:
Air Marshall Goldie, three months into the role, provided his initial perspectives and provided an update on his work to date.
Air Marshall Goldie – National Cyber Security Coordinator
Air Marshall Goldie, National Cyber Security Coordinator
A question was put to Air Marshall Goldie about what incidents should get referred to the National Cyber Security Coordinator. There was no clarity provided in that regard. The involvement of the coordinator appears largely organic, without pre-determined guidance. Air Marshall Goldie did make the point that he was not a regulator but it was clear that he took an active role in certain notification decisions (as evidenced by the discussion on the NDIS notifications undertaken following the HWLE breach).
Observations from the Q&A
hit by a ransomware attack in late April, the breach has been claimed by a Russian-based cybercrime gang; some 2.5 million documents were exfiltrated and about a million of these were included in a dataset that was published on the dark web on 9 June; now at the stage where HWLE can manage its commitments without Commonwealth support; National Cyber Security Coordinator played a light touch role and commenced a whole of government coordination through the National Coordination Mechanism, managed by National Emergency Management Agency, or NEMA; Top three take outs:
• • • • •
able to deploy lessons learned from earlier responses, particularly in relationships. transparency can be very challenging, balancing release of information in the interest of transparency or the public interest while not compounding the harms; you have to build a relationship with affected entities, at multiple levels…quickly.
• • •
Measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification. ASIC expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain. For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.
Good cyber risk management must start at the top. There’s often a disconnect between several important elements, including:
Global cybercrime damage costs are predicted to grow by 15% annually over the next three years. This will mean costs reaching $10.5 trillion USD by 2025. Ransomware attacks alone are predicted to exceed $265 billion by 2031, more than 13 times the costs in 2021 – the equivalent of an attack every two seconds. Cyber preparedness is an issue we must address. Cyber preparedness must include security. It must also involve resilience, the ability to respond and weather a significant cyber security incident.
Joe Longo – chair of ASIC
Good cyber risk management
None of us has control over the security of a third-party provider. If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised. One of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers. Look to your third-party suppliers, vendors, and managed service providers, and evaluate your third-party supplier cyber risk.
Reliance on third-party providers is always a risk
Boards’ oversight of cyber risk, Management reporting of cyber risk to boards, Management identification and remediation of cyber risk, Cyber risk assessments, and How cyber risk controls are implemented.
Never set and forget. Plan for and test for attacks. You can’t protect what you aren’t aware of. It’s not enough to sign a contract with a third-party supplier – you need to take an active approach to managing supply chain and vendor risk. Setting it and forgetting it, does not, cannot, and will not work. Boards and directors must ask themselves: do they know how they would communicate with their customers, regulators, and the market when things go wrong? Do they have a clear and comprehensive response and recovery plan? Has it been tested? Any incident response plan must include third-party suppliers and vendors. The same goes for incident response testing. Simply having the plan isn’t enough. It needs to be tested and it needs to be tested regularly. An organisation must identify the most critical information they hold so it can prioritise its protection. This becomes even more essential if a third party is managing critical systems or holding information.
Three ways to reduce third-party risk
In the Q&A that followed the keynote, discussion continued to focus on the risk posed by third parties. Mr Longo reserved ASIC’s position to take action in relation to previous high-profile breaches. In relation specifically to directors’ duties, Mr Longo noted that directors need to understand the systems, process, technology and providers that are key to your business, and if you cannot demonstrate that, then you may be close to failing to comply with directors duties. In this regard, he noted that foreseeable risk is a good place to start and that it was important for directors to play an active role and challenge management.
Joe Longo, chair of ASIC
Some 18 months after the Albanese Government was elected, it appears that that Government is set to release its Cyber Security Strategy. While no specific data has been provided, we expect this to land in November or early December. We summarise the material parts of her keynote below:
Cyber security and resilience are not merely technical matters on the fringes of directors’ duties. ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience.
Register for report
Register your interest in our report on the state of security within australian business
We should be prepared for a broad range of risks, and while there remains a lot of focus on high-profile cyber extortion events, the risk landscape is materially broader.”
CAMERON WHITTFIELD PARTNER, MELBOURNE
Our report takes a temperature check from many of our most senior in-house legal leaders. We unpack the proficiencies, processes and preparedness of Australian businesses, through the lens of the in-house counsel. We unpack the views of our legal advisors when called upon to advise on cyber extortion, cyber resilience, incident response, threat actor negotiations, board preparation, the regulation of cyber and cyber insurance.
Due for release 18 September, in alignment with our platinum partnership with the Financial Review Cyber Summit.
WITH CROSS- JURISDICTION OPERATIONS
+
Listed companies
GROUP GENERAL COUNSEL RESPONDENTS
ORGANISATIONS SURVEYED
Over
100
Of those surveyed:
Legal leaders in financial services, consumer, energy, technology and others provide their view on the current cyber risk landscape.
Register your interest in our report on the state of security within Australian Business – a view from the lawyers.
Register your interest in our report on the state of security within Australian Business (a view from the lawyers).
One Survey
One
“So, the government has sent a very strong signal there. The subsidies that are in place are long-dated, more than 10-year horizons. The direct capital investment they are offering in some of the riskier technologies is really material, tens of billions of dollars. I can see that stimulating a lot of the supply side – and the demand side, investment in clean energy.” Dr Greig believes Australia needs to take similar initiatives. What happens to our national income as part of the transition to net zero? Dr Greig believes the Federal Government may be using the “language of, ‘We will become a clean energy exporting superpower’”. But as he notes, "When you unpack the capital needs of this you are looking at another US$6 trillion, or maybe US$10 trillion. “That is where the real problem lies. If we are going to transition both the domestic economy and exports, we are talking about a transition of similar scale in terms of capital flows to the US transition, which is mind blowing.” While 60% of respondents stated that they had a net zero target (2050 was the most commonly noted date), the majority had yet to quantify the level of investment required to meet its target. This suggests that there is still some work to do to understand how respondents will achieve their target. HSF’s Global Head of Mining Jay Leary believes climate change presents challenges and opportunities in equal measure. “There are challenges around making mining operations cleaner, and created by the closure of some mines. There is, however, an abundance of opportunity created by the long-term significant demand for future-facing mining commodities, such as nickel, copper, lithium and rare earths that are the key to many renewable and other technologies. I have great faith in the ability of the mining sector to develop and transform.”
Most companies are grappling with how to budget or fund their ESG goals. Yet the consensus remains: think big!
Dr Chris Greig Senior Research Scientist Adlinger Center for Energy & the Environment Princeton University
I don't think there is any way known that Australia will get to net zero without really material carbon capture and storage (CCS). It may not be required until the 2030s and 2040s, but it is not going to happen without government making strategic investments now.”
Dr Chris Greig Senior Research Scientist Andlinger Center for Energy and the Environment Princeton University
If we are going to transition both the domestic economy and exports, we are talking about a transition that is of similar scale in terms of capital flows to the US transition, which is mind blowing.”
“In the US, our capital spend on the supply side to 2050 looks like being somewhere up to US$15 trillion by 2050,” he observes. “In Australia, on the domestic economy, it will be substantially less, maybe US$1 trillion or US$2 trillion.”
Princeton’s Dr Chris Greig points to the need for governments to work with the private sector and agree what it is going to take to allocate the levels of capital needed to achieve net zero. “If you look to the US Infrastructure Investment and Jobs Act, and the Inflation Reduction Act, that is nearly half a trillion dollars of stimulus, which is largely going to support climate mitigation investments,” says Dr Greig. “This is going to stimulate a lot of investment in renewables, in hydrogen production, in electric vehicle uptake, in hydrogen fuel cell vehicle uptake, in carbon capture and storage.”
Dr Greig says the answer lies in “doubling down on wind and solar and transmission, transition home electricity sources and stimulating the uptake of electric vehicles. He notes plenty of subsidies are available on the demand side, particularly vehicles and the home, and suggests the supply side is, for the next decade, likely to be largely about wind and solar. Dr Greig, however, cautions: “I don't think there is any way known that Australia will get to net zero without really material carbon capture and storage (CCS). It may not be required until the 2030s and 2040s, but it is not going to happen without government making strategic investments now – securing the storage, understanding where we can store it and at what rate. Thinking about pipeline corridors and getting ourselves ready for when – not if – it is needed.” Dr Greig makes the point that in the 1970s and 1980s, Australia’s federal and state governments made strategic investments in ports and rail and were actively involved in the negotiations with large international companies to bring their finance and development expertise to Australia. “As a result of this strategic, government-led intervention, we have enjoyed a 40-year resource boom that would not otherwise have been possible. That is what we are looking at again. I feel governments have become much more timid and inclined to leave things to the market. But we need a return to nation-building, strategic investment.”
"We need a return to nation-building, strategic investment.”
Tech x Time = Competitive Advantage
Keeping focus on "the S"
Start at the Source
Lorem ispum
Risk and return under every rock
SO WHAT IS THE KEY?
1 in 5 say they will need to grow investment by anywhere from 50% to 200% Plus
50-200%+
Greater linkages between outputs needed (eg storage, renewables, EVs) and investment into developing inputs (eg rare earths) Longer term supply arrangements, to de-risk investments and secure access to inputs Scale through collaboration, with more ambitious projects more likely to receive Government support and ‘streamlining’
Co-ordination and collaboration
Greater Government co-investing, seed funding and concessions to catalyse private sector capital flows Clearer delineation of material ESG risks and opportunities for each company, and channelling investment focus to mapping needs in those areas Top-down and bottom-up analysis, addressing pathways to achieve objectives but also accurately gauging ‘achievability’ and likely challenges
Scale of investment needed is unclear
Access to capital, enabling infrastructure and lack of agreed strategy were most selected in the top 3 barriers to investment.
of respondents say that their ESG investment plans have increased following the change in federal government
Regulatory uncertainty and inconsistency is cited as the only barrier unique to Australia
“In an operating environment where stakeholder expectations can often sit ahead of regulatory frameworks there is a chasm in which we have seen uncertainty grow. The positives are that there is agreement on the direction of travel and we are seeing freshness of approach in tackling some of the complexity across the ESG landscape. “ESG is a lens, not a prescriptive text. Therefore, ESG dimensions can lay over any business, in any sector, with any multitude of operational practicalities. Advising clients across the breadth of ESG concerns, we work with businesses who have been adapting their operations fundamentally, others who have limited ESG risks or opportunities, and some who are still recovering from the past two years of disruption and are yet to set their strategy on ESG. On HSF’s findings that ESG is on the agenda for 75% of business leaders’ investment decisions, Tim concludes: “Increased collaboration within the private sector alongside government directives will give boards the certainty they need to take their next leap of faith. Similarly, placing more trust in their governance processes in the fact of uncertain outcomes will also help take their ESG objectives from theory to implementation".
According to Australian lead for Herbert Smith Freehills’ ESG practice, partner Timothy Stutt: “ESG-aligned investment decisions are posing a trade-off between immediate financial outflows, versus long-term returns which may be unquantifiable or unclear, and appear risky. Building confidence to bridge this gap will be key for companies to deliver on their ESG ambitions.
EXECUTIVE SUMMARY
BACK TO HOME
DECARBONISING CITIES
BANKS STRIVE TO STAY RELEVANT AND SATISFY REGULATORS IN THE TIKTOK AGE
#CUSTOMERISKING
General counsel and the dawning ESG revolution
Responsibility Incorporated
THE FUTURE OF WORK REPORT 2022
REMOTE/CONTROLLED
A SWEET SPOT FOR ESG?
DATA GOVERNANCE, PRIVACY AND TRUST
AICD and HSF Guide
Signing off on modern slavery statements
CLIENT TOOLS
Watch the webinar
Towards Net Zero Australia
Lorem ipsum Lorem ipsum
Download your keys to unlocking ESG investment in Australia
WHAT YOU NEED TO KNOW
COP27 LOOMS
Watch
On Just Terms
Hear from our experts
ESG in Australia
The Third Wheel Podcast Series
+61 7 3258 6569
Jacqueline Wootton
+61 3 9288 1544
Anthony Wood
+61 2 9225 5440
Mark Smyth
MANAGING PARTNER, CORPORATE
+61 2 9225 5085
EXECUTIVE PARTNER, ASIA AND AUSTRALIA
Andrew Pike
+61 2 9225 5492
Drew Pearson
+61 2 9322 4875
Special Counsel
Stephanie Panayi
+61 7 3258 6788
Kathryn Pacey
+61 2 9322 4830
Responsible Business Manager
Gemma McKinnon
+61 8 9211 7877 / +61 7 3258 6619
Head of global mining
Jay Leary
+61 2 9322 4448
Director of Culture & Inclusion
Danielle Kelly
+61 2 9322 4378
Patrick Gay
+61 3 9288 1870
Alison Dodd
+61 8 9211 7560
Melanie Debenham
+61 2 9225 5783
Malika Chandrasegaran
+61 3 9288 1710
Heidi Asten
+61 2 9225 5794
Partner, ESG lead, Australia
Timothy Stutt
Listen
Unlocking ESG Investment in Australia Key challenges and actions
Download
Read More +
a legal lens on ESG Investing as Corporate Australia readies
Recent high profile cyber incidents have shown us that legal issues, and the role of the lawyer are central to any incident response.
Register for report here
We should be prepared for a broad range of risks and while there remains a lot of focus on high-profile cyber extortion events, the risk landscape is materially broader"
have operations outside Australia
XXX
WITH CROSS JURISDICTION OPERATIONS
Survey
As a wealthy nation committed to digitalisation, Australia is a prime target for a new wave of cyberthreat actors. The consequences of cyber-attacks are soaring, along with their scale, frequency and sophistication. Encryption events can bring businesses to a standstill. Data breaches undermine consumer confidence and cause real harm through identity theft and financial loss. There is even the potential for operational shutdowns to bring vital infrastructure such as hospitals, airports and utilities to a halt. Compounding matters, our adversaries are continually adapting and looking to leverage new capabilities such as generative AI. Historically, the task of coordinating cyber incident response fell to an organisation’s IT security team under the oversight of its Chief Information Officer (CIO) or Chief Information Security Officer (CISO). Today, the unmistakeable trend is that lawyers are joining them at the forefront of the response. When a crisis occurs, more lawyers are taking on the high-pressure role of ‘breach coach’. This involves coordinating critical activities such as engaging with the board, government, regulators and insurers, assessing operational impacts, reviewing compromised data, ensuring regulatory and contractual compliance, overseeing communications and executing a cyber extortion response strategy. Failure to appropriately manage these workstreams can have significant legal and regulatory ramifications. Until now, qualitative research has focused largely on the views of boards, a variety of executives and technology teams, rather than the legal leaders so often front-and-centre when a cyber-attack occurs. In 2023, Herbert Smith Freehills decided to take a fresh perspective. We conducted a landmark survey of over 120 legal leaders from businesses based in Australia. More than 67% of respondents held the position of General Counsel or equivalent, while 51% of the surveyed organisations were ASX-listed entities, 71% had international operations and more than 33% had in-house legal teams with 25 legal staff or more. Sectors represented included financial services, consumer goods and retail, energy, technology, media, telecommunications, transport, healthcare, pharmaceutical, infrastructure and resources. This report highlights some of the survey’s most fascinating – and sobering – findings. It is supported by insights from our firm’s industry-recognised experts across the Asia-Pacific region in cyber, corporate, disputes resolution and insurance. Overall, while organisations have recognised the need to increase cyber resilience and have taken some positive steps, there is still much work to do. Cam
Australian organisations face a perilous, rapidly evolving cyberthreat landscape. Over the last 12 months, the national discourse has shifted into hyperdrive in the wake of global geopolitical instability and a spate of high-profile attacks. Businesses are also subject to increased regulatory scrutiny as well as growing expectations from government, consumers and other stakeholders.
Partner and APAC Head of Cyber Security
Operating in the Australian regulatory landscape is complex, to say the least. ESG is no longer a nice add-on, but a core thread that runs through the entire corporate strategy. Bigger corporations understand this, and the majority are leading the pack in embedding ESG considerations into everything that they do. Advisers to boards must endeavour to clarify and simplify what their clients need to do to move forward notwithstanding the level of uncertainty and pace of change in regulation, and to support them in understanding and mitigating potential risks. Activity is being held back due to difficulty in measuring ESG impacts and a shortage of people who hold a deep understanding of ESG-specific subject matter. Investing in talent and capability is key to unlocking investment in Australia, as well as building certainty. Boards need to have a higher risk tolerance and be able to rely on governance processes even with uncertain returns.
In Australia legal issues are considered one of the biggest hindrances to progressing ESG-related corporate strategies.
CORPORATE
Ground-breaking technologies are required to meet Australia’s climate commitments. Investments will need to come from multiple sources, public and private. When it comes to private sources, intellectual property is one of the tools that will unlock investment. Hurdles to invest rather than a problem with the legal system or uncertain regulation, appear to be a regarding perception, particularly throughout the energy sector. Feedback suggests the perception is that either IP is not relevant, it’s a barrier to innovation, or it’s a tool used to monopolise the technology exclusively. When we look at other sectors, particularly the pharmaceutical and tech sectors. IP in practice is used in far more nuanced ways to support ambitious investment.
INTELLECTUAL PROPERTY
Ultimately employers aspire to attract and retain the best talent. Ever-increasing efforts are required to understand what employees want, what their representatives advocate and shareholder interests, as well as the organisation’s broader community contributions. Balancing local rights under Australia’s industrial relations framework against International Labor Organisation Obligations provides an added challenge. Striking the right balance between the two – the legal and regulatory obligations, as well as ESG considerations, can cause friction but is an important hurdle to overcome. Employers must progressively grow their understanding of what their people want – from employees to stakeholders. Strengthened insights into industrial strategies, their people strategies, and mapping out the various sources of obligations, alongside community expectations, will maximise investment.
EMPLOYMENT
The ACCC announced an enforcement priority for 2022 – 2023 on consumer and fair trading issues in relation to environmental, greenwashing and sustainability claims. In the first instance, targeting over 200 companies, and looking at energy, vehicles, household products, food drink, manufacturing, and the consumer goods industries. With ESG front of mind and the transition to lower carbon energy on corporate agendas, we can expect industry consolidation and collaborations from a competition perspective. To avoid falling short of new rules and regulations, companies need to plan and structure these collaborations. When making environmental sustainability claims, ensure it can be substantiated and that customer communications are clear.
COMPETITION, REGULATION AND TRADE
An opportunity to promote ESG investment should come via the review of the environmental laws the Federal Government is undertaking. The anticipation is it will result in the promotion of approvals and processes for decarbonisation projects in renewables. For environment and planning a key barrier to progress in ESG activities remains ambiguity around support, funding, incentives, and certainty around biodiversity. Elements essential for investments to occur, and ESG initiatives to be unlocked are certainty regarding conditions, cost, longevity, and offsets. For example, access to land, environmental approvals, and stakeholder engagement processes. First Nations people are obviously very important stakeholder. The question to be asked in this regard is what are the opportunities that can flow with a different type of engagement, perhaps a deeper engagement with the host communities within which we operate.
ENVIRONMENT AND PLANNING
As modern slavery legislation is relatively recent, each year companies are being asked to disclose more. The challenge in this area is to be ready to answer two key points. Firstly, how is the organisation measuring success, and is the strategy effective in driving positive change for those vulnerable? And what needs to be elevated to meet intensifying reporting and regulatory expectations? Avoiding falling short of modern slavery reforms is notably a consideration and risk for the Australian clean energy sector because many raw materials, especially solar can come from jurisdictions with a high risk of modern slavery. As this landscape progresses, observing current reforms under consideration is important so that organisations don’t get it wrong.
MODERN SLAVERY
The metrics by which we measure ESG are not as clear-cut, particularly in comparison to more traditional activities boards would assess, associate timing, and measure return on investment. There is the belief that a lag exists in understanding ESG on an expert level, management level, and board level. Risks can mount when announcing strong corporate ambitions if the statements are not based on reasonable grounds or carefully framed. Without the right expertise, exposure to potential greenwashing litigation or regulatory enforcement risk can occur. Directors need to understand the ESG issues as well as engage the experts, whether that is internal or external. Then, integrate it across their organisation.
DISPUTES
Tax has been at the forefront of ESG activities in Australia with many Australian taxpayers leading the way with tax transparency initiatives. The next big thing on the horizon is the energy transition. We are already seeing large investments in Australia from overseas to support that transition. However, having the tax settings right will obviously be important in ensuring we continue to attract that capital. At present there are no real tax incentives to support such activities and our corporate tax rate is relatively high on a global stage. Offshore funding can and has been used to get the effective tax rates on such investments to more competitive levels. However, reforms to Australia’s thin capitalisation rules will severely curtail that opportunity. If these changes go through then Australia may need to see some specific concessions to target the investment needed in this area.
TAX
In an elevated cyber threat environment, ESG practices and cyber risk management are increasingly aligned. The damage to a company from a cyber-attack is significant and includes the loss of consumer and investor confidence, adverse regulatory findings, revenue loss, and long-term reputational harm. Well tested incident response plans, clear data governance and an engaged Board are critical for any company to successfully prepare for, and recover from, a cyber-attack. Investors are more astute to cyber risk and companies that fail to demonstrate a strong cyber risk management culture are likely to be at a significant competitive disadvantage. Following some recent high profile data breaches in Australia, public and government sentiment regarding privacy, data collection and data retention practices is at the forefront of government and consumer consciousness. Legislative change to the privacy landscape has commenced and a revised Cyber Security Strategy (and consultation process) will follow.
CYBER SECURITY
