Australian Institute of Company Directors launches first steps towards cyber security regulation
As the fallout from the cyber attack on Medibank grows, the Australian Institute of Company Directors is guiding boards on how to shore up their online defences.
The Australian Institute of Company Directors has taken the first steps towards introducing regulation around cyber security, following recent hacking attacks on Medibank and Optus, along with the theft of millions of customers’ sensitive data.
More than a year after Telstra’s venture capital arm warned that company directors must step up to protect Australians against cyber attacks, the AICD has drafted five voluntary principles to help boards shore-up digital security.
The initiative comes as Medibank revealed that a group of hackers is demanding a ransom after claiming to have stolen 200GB of customer data, including health claims data and Medicare numbers.
The health insurer – Australia’s biggest with more than 3.9 million members – assured customers as late as Monday that there was no evidence their data had been stolen in last week’s attacks. It now expects the fallout to grow as investigation continues.
Cyber Security Minister Clare O’Neill warned of “irreparable harm”, following the theft of health records in Medibank’s breach, which she branded a “dog act”.
“Financial crime is a terrible thing, but ultimately a credit card can be replaced,” Ms O'Neil said.
“The threat that is being made here, to make the private, personal health information of Australians available to the public, is a dog act.”
Ms O’Neil said the ransom threat against Medibank was credible, with the Australian Federal Police and Australian Signals Directorate officers now stationed within Medibank to limit the fallout.
She said building cyber resilience would take a “huge collective effort across government and industry, with companies having a critical role to play”.
Meanwhile, the former coalition government has warned that company directors could become personally liable for online hacks and breaches.
AICD managing director Mark Rigotti said boards were looking to the institute to “provide as much support as possible”, with cyber attacks striking companies every eight minutes, or 67,500 times in the past year, triggering more than $33bn in losses.
“Cyber security is a crucial area for boards,” Mr Rigotti said.
“Building cyber resilience within organisations is ultimately about building resilience across the nation as well as capacity within our teams and organisations.”
The AICD Cyber Security Governance Principles, drafted with the Cyber Security Cooperative Research Centre (CSCRC), state that cyber incidents have “a significant and at times existential impact on an organisation” but the cause be “surprisingly simple”.
“So simple in fact that it can be a singular security blind-spot, one individual hacker gaining access to data or an employee misplacing a USB,” the principles supporting document states.
“Cyber security system weakness combined with human error often make it relatively easy for cyber threat actors to penetrate IT systems, access valuable data and severely impact an organisation’s stakeholder trust and reputation.
“At its most significant, a cyber incident has the potential to cripple an organisation’s operations.”
Cyber attacks have also revealed the shortcomings of Australia’s data retention laws, with the hacks on Medibank and Optus forcing the companies to contact former customers – in some cases going back years – to warn their personal data may have been stolen.
Medibank says it must retain data for seven years under certain legal requirements, while for children they need to retain their health information until they are 25.
Attributed to the cyber criminal group – but unverified – are threats to sell the information to third parties and to contact Medibank customers directly to authenticate that the data has been accessed. Because Medibank is a health insurer, it collates large amounts of data including on the health of customers.
The company said the “criminal” had provided a sample of 100 policies, which is understood to have come from its AHM and international student systems, sparking an Australian Federal Police investigation.
“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” Medibank said.
The AICD said the cyber security principles are the result of “extensive consultation with government, industry experts and the director community” and provide a “practical framework for effective board”.
The principles include defining roles and responsibilities, incorporating cyber into risk management and preparing for a “significant” breach.
They also advise elevating cyber security to a regular standing item on board agendas, rather than dealing with the risk at a subcommittee level to remove potential “blind spots”, which are frequently the cause of attacks.
Cyber Security Cooperative Research Centre chief executive Rachael Falk said: “Companies must expect to be attacked and the worst thing any organisation can do in this current environment is to proceed with a false sense of security.
“This is a core risk that has to be incorporated into the everyday business of running any organisation.”
The attack on Medibank is the third breach to hit a major Australian company within weeks, with hackers stealing the personal information of almost 10 million Optus customers last month.
Telstra Ventures partner Marcus Bartram warned in September last year that company directors also needed to take accountability for defending against cyber attacks.
“Cyber is just another risk. It’s no different to making sure you’ve got adequate physical security controls and you’ve got adequate backups,” Mr Bartram told The Australian.
More Coverage
Work-life balance key for younger women
The next generation of young women coming into business are more internationally savvy, and more conscious of climate change. They are also concerned about work-life balance.
Aussie food on menu for Asian private equity king
Born into poverty in Taiwan and educated in Austria, former investment banker Tai Lin is on a mission to feed Asia’s millions safely.