Speakers
Synopsis
Nobody wants their mouth burned after eating porridge that is too hot. Neither do you want a mouthful of nasty cold sludge. You want it "just right". This also applies to cyber breach disclosure and increasingly there are serious consequences for when you get it wrong (albeit the consequences don’t involve bears).
Defensible disclosure during a cyber incident is crucial for mitigating its impact and preventing future incidents. Disclosure must be fact-based, unbiased and not perceived to be hiding known information. It involves balancing the legal and regulatory obligations of the organization, the interests and expectations of the affected parties, and the benefits and risks of collaborating with relevant government agencies.
Non-defensible disclosure, on the other hand, can have serious consequences, ranging from regulatory fines, lawsuits, and reputational damage to personal prosecution and jail time. It is important for organizations to have a clear policy and plan for disclosure, to ensure that they are able to effectively communicate with all relevant parties in the event of a cyber incident.
In Australia, there are several regulators that require disclosure in the event of a material breach, and the consequences for failure vary. These include the OAIC for privacy breaches, ASIC for market-relevant breaches for listed companies and Australian Financial Services Licence holders, APRA for material cybersecurity weaknesses, and the Department of Home Affairs for Security of Critical Infrastructure operators. There are further reporting requirements proposed under the Australian Cyber Security Strategy 2023-2030 for specific types of breaches such as ransomware.
Defensible disclosure can help organizations respond more effectively to the incident. Engaging with the Australian Cyber Security Centre (ACSC) and the AFP can provide technical incident response, decryption, and coordination of response support. Disclosure of data about cyber incidents also supports the government in its national response to cybersecurity and its protection of Australia’s national security. Disclosure of information around cyber-attacks can also help other organizations better defend and respond to attacks, contributing to the available threat intelligence and supporting the community as a whole.
The consequences of poor disclosure can vary depending on the industry, the type and seriousness of the breach, and the country of operation. In Australia, the consequences can include financial penalties, loss of legal privilege, and reputational damage. Disclosure isn’t just to regulators either. Public statements made by the impacted organization, such as press releases and statements to the media, can also have impacts on the long tail of activities following a breach.
Defensible disclosure during a cyber incident should take into account the legal and regulatory obligations of the organization, the interests and expectations of the affected parties, the benefits and risks of collaborating with the relevant government agencies, and the potential legal actions or investigations that may arise from the breach. Measuring the materiality of the breach is also important, and organizations should have a pre-agreed policy on disclosure and include it in their risk management planning.
