A string of global cyber security attacks has highlighted the importance of having a comprehensive cyber security response plan in place, according to Australia’s leading independent law firm, Corrs Chambers Westgarth.
Over the weekend of 13 and 14 May 2017, a piece of ransomware called “WannaCrypt” or “WannaCry” spread globally. The ransomware spread through known exploits within certain out-of-support versions of the Windows operating system, which allowed the cyber-attack to bypass firewall security and then install the ransomware on victims’ computers. The ransomware encrypts victims’ files using 2048-bit encryption, before demanding a bitcoin payment equivalent to US$300 for the decryption of the files and threatening that the files would be lost if payment is not made within one week.
“It is not the case that businesses can approach cyber-attacks as though they are unforeseeable or unpreventable. They are not acts of nature, but another type of corporate fraud that businesses must have processes in place to prevent,” said Corrs Chambers Westgarth Partner Michael do Rozario.
“Though many organisations have cyber-insurance policies in place, these attacks are one of the first major tests of the cyber-insurance industry’s capacity to respond to claims and will increase customer understanding in relation to the scope and limits of the cybersecurity insurance policies on offer. Having an insurance policy is not alone enough of a safeguard. These attacks clearly demonstrate that it is essential for all companies to have a plan in place to deal with cyber-attacks. The fact that the attacks took advantage of a patch that many organisations have not applied, highlights a key vulnerability for organisations,” he added.
Globally, both government intelligence agencies and criminal syndicates are known to constantly look for and monitor the existence of loopholes in major software and operating system packages. Microsoft report that this particular attack has arisen from a loophole known by the US National Security Agency and stolen from the NSA earlier this year. In March, Microsoft released a patch responding to the threat.
Given the nature of this cyber-attack, it is unlikely that the cyber-attackers had specific targets, but rather aimed to infect as many systems as possible, before the ransomware was contained. Once infected, those systems scanned for further vulnerable systems to infect, in a worm-like manner.
It is reported that there have been around 200,000 infections, including the UK’s National Health Service, FedEX in the US, and Spain’s largest telecommunications operator, Telefónica. Presently, Australian companies have not been significant victims, although Mr Dan Tehan, Minister Assisting the Prime Minister for Cyber Security has publicly confirmed that at least one business is affected and others are known to be at risk.
“For Australia, it seems that the WannaCrypt/WannaCry attacks will not be significant, but they will provide important lessons. For example, the application of software patches can be frustrated by limited IT budgets, competing resourcing priorities, concerns about downtime, along with seemingly constant update requirements. That decision making process needs careful attention. There are risks for a company that causes loss to its clients or shareholders by failing to apply a patch and then becoming a victim of a foreseeable cyber security incident as a result of that failure,” said Mr do Rozario.
“The legal risks of cyber-attack are broad and serious. For example, companies subject to ransomware attacks need to be conscious of the implications of caving into criminals’ demands which also creates legal and reputational risks and raises serious ethical issues for companies. These are the sorts of issues that businesses need to address in advance. A cyber security response plan that assesses risks and identifies how an organisation will respond is a key measure in addressing those risks. We believe that general counsel, executives and boards need to become more directly involved in understanding the risks and plans for response to the threat of cyber-attacks. General counsel, in particular, need to grab a-hold of this issue as they would any other major fraud risk, and drive the assessment of risk and plan the response of the company, drawing on internal and external expertise as needed,” he added.
Corrs offers its clients a dedicated cyber package designed to provide them with the tools to know in advance how they will respond to a data breach, and also prepare them in the lead up to the new compulsory disclosure laws in February 2018.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.