This was published 3 years ago
Telstra boss says company directors should be liable for ‘egregious’ cyber-security negligence
By Lisa Visentin
Telstra boss Andy Penn says negligent company directors should be held legally liable for cyber attacks on their businesses in “egregious” situations, as he warns many workplaces are under-prepared for such an attack.
Mr Penn cautiously backed a proposal to strengthen obligations on directors, which was canvassed by the federal government this week, but said the degree of responsibility should depend on the significance of the company’s products or services.
“In certain circumstances, yes, ultimately, there has to be some degree of legal liability,” Mr Penn said on Thursday.
“In egregious situations where the exposure to cyber risk is potentially a threat to national security or it’s a threat to health or safety or otherwise and there has been complete negligence towards ensuring that there are some basic cyber defences in place, then I think directors obviously have to be responsible.”
He cautioned against using “just the stick” to try to change the landscape, stressing that making businesses more aware of cyber-security threats was critical to helping prevent attacks.
His remarks followed a speech to the National Press Club on Thursday in his capacity as chair of the Cyber Security Industry Advisory Committee, set up last year by the federal government to help implement its new cyber-security strategy. Mr Penn echoed the government’s warnings that malicious cyber criminals were becoming more brazen and sophisticated in targeting governments, businesses and global supply chains.
“More abundant and better-resourced cyber criminals, cyber activists and increasingly emboldened state actors, mean Australia and Australians are quite literally under constant cyber attack,” he said.
He revealed Telstra had been working with the government to monitor threats to Australia’s COVID-19 vaccine supply chain but would not confirm whether any attempted attacks had occurred.
The government has stepped up its focus on cybercrime over the past year, regarding it as a threat to national security.
Home Affairs Minister Karen Andrews this week warned cybercrime was costing the Australian economy about $3.5 billion a year as she released a discussion paper on new cyber-security standards to be co-designed with industry. The paper canvassed the idea of making company directors of large Australian companies personally liable for failing to mitigate cyber-security attacks.
Mr Penn also backed the government’s proposed critical infrastructure laws, currently before the Federal Parliament, that would allow security agencies to take control of private companies’ networks in the event of severe cyber attacks.
Drawing a hypothetical comparison with foreign actors attacking an Australian port, he said government intervention was not only justified but expected when national security was at risk.
“I don’t think we would think twice about the Australian Air Force was being deployed to go and protect that infrastructure, regardless of whether that infrastructure was owned by the government or a private operator for a minute,” Mr Penn said.
The industry advisory committee, which released its first annual report on Thursday, called for clearer guidance to be developed to help businesses prevent and respond to ransomware attacks – among the fastest-growing areas of cybercrime – including whether ransoms should be paid.
“Despite the significant efforts in this regard, sadly most Australians and Australian businesses are ill-prepared for a direct cyber attack on them,” Mr Penn said.
Ransomware is a form of malware designed to encrypt a victim’s files until a ransom is paid. Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, and Nine Entertainment (owner of The Sydney Morning Herald and The Age) have all been hit by major ransomware attacks over the past 18 months, with some paying ransoms to hackers.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.