New cyber crime guidance issued after raids on Medibank and Optus

October 28, 2022

A new framework for tackling cyber crime has been published following several high-profile data hacks on Australian companies this year, affecting an estimated 14 million residents.

Two particular security breaches facing Australian telecoms provider Optus, and health insurer Medibank have resulted in significant losses for shareholders.

The attack on Medibank in October 2022 could end up costing them as much as $35 million AUD, while the raid on Optus a month earlier has left them open to a $1.5 million ransom demand from hackers.

Now the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) have released a new set of governance principles to help organisations strengthen their cyber security.

The principles have been established in consultation with Prime Minister Anthony Albanese’s government, industry experts and companies.

They are designed to enable directors to ask the right questions of management, spot red flags in how cyber security risk is being managed, promote a culture of resilience, and prepare and respond effectively to significant security incidents.

The AICD has nearly 50,000 members from the private and public sector and its CEO Mark Rigotti hopes the new guidance will help prevent future attacks.

He said: “Cyber security is a crucial area for boards and we know they are looking for as much support as possible.

“Building cyber resilience within organisations is ultimately about building resilience across the nation as well as capacity within our teams and organisation.”

Read Minerva's previous coverage on cyber security:

https://www.old.manifest.co.uk/cyber-security-manifest-research/

The new framework focuses on board oversight across five key areas:

• Roles and responsibilities
• Strategy development and evolution
• Incorporating cyber into risk management
• Building a cyber resilient culture
• Preparing and responding to a significant incident

CSCRC CEO Rachael Falk says the new approach underlines the need to avoid one of the key failings of the past - complacency.

She added: “Companies must expect to be attacked and the worst thing any organisation can do in this current environment is to proceed with a false sense of security.

“This is a core risk that has to be incorporated into the everyday business of running any organisation.”

Whilst the new framework is largely reactive to recent breaches, and related legislation has been lacklustre in Australia for some time, Australian companies themselves appear to have been paying close attention.

Minerva's ASX100 data for 2021 (89 companies accounted for) and 2022 (65 companies accounted for thus far) show that cyber security is a common consideration in annual reports. However, the proliferation of data breaches in recent weeks has uncovered gaps in Australian companies' underlying governance.