Securing Australia’s cyber future Part 2: CISOs, breaches and the duty of care

For many CISOs, this wave of attacks is unprecedented.

“We have cyber insurance, we have experienced crises from natural disasters,” acknowledged one member of Mimecast’s Customer Advisory Board after the attacks, “but you’re never really ready for something like this.”

The fallouts of these breaches are still rippling across the economy. Customers may suffer lost data and scams, demanding that some action be taken. Boards may be fearful of reputational damage and regulatory fines. Executives can feel caught between a duty of care to customers and their assets on one hand and a responsibility to keep budgets tight and protect shareholder value on the other.

It can feel like a no-win situation, but if CISOs can communicate effectively and balance the needs of different stakeholders, the recent breaches can be an opportunity to build better cybersecurity.

Cybersecurity’s duty of care

“Duty of care” is a legal term, but in simple terms, it means that a person or organisation should not act in a way that harms others. How it operates will vary from organisation to organisation and role to role. For example:

1. A board’s duty of care is to act prudently and properly manage its organisations’ workforce and assets. Communicating clearly with shareholders, ensuring legal compliance and delivering profits are their key responsibilities.
2. An organisation’s duty of care to its customers includes ensuring its products are safe and meet national (the Privacy Act) and international (such as GDPR) standards relating to the storage, processing and security of personal data.
3. A CISO’s duty of care is neatly summed up in the GDPR guidelines, which note the “obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, to carry out data protection impact assessments and mitigate risks arising from the processing of personal data”.

Fulfilling the duty of care to your customers

In cybersecurity, the question at the heart of duty of care is not “were you breached?”. Instead, it’s a question of whether your policies were appropriate and were responsibly carried out. Duty of care drives trust; it makes a breach less likely, and if one occurs, it is the lens through which shareholders, customers, regulatory bodies and governments will review your actions. There are still many organisations where this duty of care is poorly defined, which can lead to trouble for CISOs trying to structure their organisation’s cyber policies.

A breach can be life-changing for customers whose personal information is stolen. Hundreds of scams were reported in the immediate aftermath of the Optus breach, with criminals targeting compromised customers via email, SMS and phone. Scammers also sprung into action after the Medibank breach, with tennis legend Todd Woodbridge among those targeted.

Those whose details are used in scams may suffer financial loss, ongoing identity theft issues and severe stress, with one study finding that victims “exhibit many of the same symptoms (such as anxiety, depression and hyper-vigilance)” as survivors of PTSD. Even customers who have not been directly affected may worry about their safety and think about taking their business elsewhere.

How you respond is critical

These impacts underline why duty of care is so important for maintaining customer trust – and why governments take regulation so seriously. Fines for individual breaches are currently capped at $2.2 million, but could rise to $50 million or more.

To prove a duty of care, organisations must think carefully about their grounds for keeping data, and the measures they use to protect it. But incident response is also critical, including password resets (whether advised or forced), notification of affected customers (with as much data as you can provide about the incident), support (from trained, informed advisors) and ongoing monitoring. Healthcare is a sector with a particular duty of care, observes one of Mimecast Customer Advisory. “You can replace your credit cards and your passport,” they explain, “but you can’t replace your health data.”

What shareholders expect from boards

Boards must be transparent in their communications with shareholders. Another part of their duty of care is a strategy that balances securing data and satisfying regulators while protecting the commercial bottom line. There are many ways a breach can impact shareholder value:

1. Direct fiscal loss from theft, ransomware or scams
2. Intellectual property loss
3. Regulatory penalties
4. Reputational damage – the Australian Cyber Security Centre (ACSC) notes the example of a hedge fund that recovered most of its funds from an attack, but went bankrupt after spooked clients walked away from its business
5. Costs incurred during recovery – after its breach, Optus had to rebuild its entire database of 10 million customers
6. The resource cost of incident response and communications – teams may need to be pulled from vital work or hefty legal or third-party support bills paid

IBM estimates the average cost of a breach at $4 million, but with the above factors considered, the real cost of an incident can be far higher. Medibank’s share price has dipped 20% since its attack and have said the initial one-off cots are estimated at $25-35M. It’s no surprise that shareholders want to know that their assets are being protected, and to have visibility into cybersecurity strategy and its impact on profitability.

What boards expect from their CISOs

Every CISO knows what it’s like when the board’s heads all turn their way. And given the scale of recent breaches, that’s going to be happening increasingly often. In response, CISOs need to have a clear plan for how they will meet their duty of care, and supply clarity, evidence and an alignment with their overall cyber strategy. Key steps include:

1. Auditing your assets and prioritising their defences. As one of Mimecast’s panellist's notes: “Organisations need to determine what their crown jewels are and who their adversaries are, and then focus on that area most of all.”
2. CISOs need to turn these threats and impacts into hard data, and that data into a compelling narrative that resonates with technical and non-technical board members.
3. While that means being selective about the metrics they share, it also means making a case for cybersecurity as an opportunity rather than just a cost. Strong cyber credentials can open up new markets and win public trust – supporting a duty of care to customers, and your bottom line.
4. Preparing for the worst means playing out breach scenarios and connecting with other departments to build an incident response plan. This can not only limit the damage of a breach: it also shows observers that you’re taking your duty of care responsibly.

All these approaches require regular contact between boards and CISOs. Building a positive relationship with the board means listening to their concerns and working transparently. Using a narrative-driven approach can help members understand the impacts – positive and negative – that you raise. Cyber doesn't all happen in the boardroom, of course: now is also a good time to remind your team of the basics – with regular patching, good email security and multi-factor authentication, many of the recent breaches would never have happened.

Why the duty of care discussion is more important than ever

There’s a push and pull in the duty of care debate. Shareholder value and customer privacy, for instance, can sometimes seem in conflict. Yet while this wave of attacks is bad news for cybersecurity, it’s also a great time to recalibrate the connections between customers, shareholders and the board. This is the perfect time to raise the impact of major breaches – and make your case for a responsible, vigilant, company-wide strategy that can keep your assets safe, even while others are losing theirs.