9 – what organisations need to know on cyber security
The digital age we now live in creates great opportunities for growth and worldwide innovation. Those opportunities give rise to a growing risk of revealing sensitive data and being targeted by cyber criminals. The law also often struggles to keep pace with that innovation. In February this year, KiwiRail was in the news for leaving a security hole in a test website making it possible to book tickets on the train and ferry for free. But the issues are usually darker, where infiltrators attack networks and cause data breaches and other disruptions to business.
In this update, we look at some recent developments in cyber security, both in New Zealand and around the world. We also highlight actions organisations need to consider when it comes to cyber security.
In February this year Hewlett Packard Enterprise published its 2016 Cyber Risk Report (accessible here) highlighting various cyber risks. While web applications remain a significant risk says the Report, mobile apps present a growing risk area. Of great concern is that major vulnerabilities are not being fixed promptly. The Report notes the top ten vulnerabilities exploited last year were more than a year old and 68% were more than three years old.
These significant risks are now a top priority at the Board table. Also in February this year, the Institute of Directors (IoD) and Marsh released its second biennial Directors’ Risk Survey (accessible here), ranking cyber security second only to reputational risk in the ranking of external risk issues. Technology related matters (business disruption due to technology failure and loss of data) also feature at numbers one and three on the ranking of internal risk issues.
Government’s Cyber Security Strategy
On 10 December 2015 the Government released a Cyber Security Strategy, an Action Plan to accompany the Strategy and a National Plan to Address Cybercrime. These are the beginning of a support system and defence mechanism against cybercrime in New Zealand.
The Strategy sets the following vision for New Zealand: To be secure, resilient and prosperous online. Four goals are proposed:
1. Cyber Resilience – protecting significant assets, using cyber tools to further national security interests and ensuring preparedness for major cyber incidents.
2. Cyber Capability – building cyber security capability among every person and organisation.
3. Addressing Cybercrime – covered in the separate National Plan (discussed below).
4. International Cooperation – building international partnerships, but ensuring cyber security measures are not an impediment to New Zealand businesses.
Four principles underpin the Strategy: partnerships are essential (i.e. build on ConnectSmart), economic growth is enabled, national security is upheld and human rights are protected online.
The Action Plan sets out a number of actions the Government will undertake to achieve the goals, including the outcomes sought and the agencies to be involved. Key actions are:
1. Establish a national CERT responsible for triaging incident response and ensuring technical advice gets to organisations that need it.
2. Implement a new “cyber credentials” scheme for SMEs stating core actions to implement to make a big difference to their cyber security. This would enable SMEs to demonstrate they have key cyber security practices in place.
3. Promote cyber security education and training, including building a cyber security professional workforce.
The National Plan to Address Cybercrime sets out the Government’s understanding of the issues caused by cybercrime and what actions they intend to take to increase New Zealand business’ ability to prevent, investigate and respond to cybercrime. There are four priority actions:
1. Build Capacity to Address Cybercrime
Provide up to date alerts on current scams (via the ConnectSmart website), educate young and old on cybercrime, and ensure there are enough experts in law enforcement.
2. Adapt New Zealand’s Policy and Legislative Settings for the Digital Age
Amend legislation to adapt to new technologies, balance security and privacy, and better manage overseas relationships with countries also attempting to counter cybercrime. The Plan promises reform of the Privacy Act 1993 will emphasise identifying and addressing risks before privacy breaches can occur.
3. Enhance New Zealand’s Operational Response to Cybercrime
The Government’s national CERT is to bring together support facilities for effective and efficient response for victims of cybercrime. There is also a focus on increasing cross-agency effectiveness in investigating cybercrime; and improving the channels by which the public can report on and seek victim support for cybercrime.
4. Use New Zealand’s International Connections to Combat Cybercrime
The Government is working with overseas partners to reduce barriers and allow law enforcement counterparts to work closely together to combat cybercrime.
The various documents can be accessed here.
On 27 November 2015 the Global Network of Director Institutes (GNDI) published a Perspectives Paper on Guiding Principles for Cybersecurity Oversight. We encourage all directors to read this short Paper. Three key actions it sets out for Boards to create cyber resilience are:
1. Make cybersecurity a specific accountability of one of the managers reporting to the Board.
2. Inform themselves of specific operational, reporting, and compliance aspects of cybersecurity (the NZ IoD’s oversight approach is set out in the Paper).
3. Consider having a member with some knowledge of information technology (including digitalisation and cybersecurity).
The Paper (accessed here) also includes a summary of the tools and information available to assist Boards in member institutes. This includes New Zealand, Australia, Canada, United Kingdom and the United States.
What can organisations do? First, read and follow the guidance in this newsletter and use the tools referred to in the guidance.
Some of the key actions coming out of the guidance are:
1. Make cyber security a top priority at the highest level (ie the Board) and ensure the Board has access to cyber expertise.
2. Determine a cyber risk appetite and identify the specific cyber risks to the organisation’s valuable assets, including risks that may arise from non-compliance with legal obligations.
3. Take measures/put capabilities in place to address the risks identified and continually monitor those measures/capabilities to ensure the organisation’s assets continue to be appropriately protected. Those measures/capabilities should also extend to parties the organisation deals with. Contracts with other parties need robust data protection and security access provisions.
4. Investigate available cyber insurance. Traditional insurance may not cover the losses arising from a cyber incident.
5. Despite the measure/capabilities in place a cyber incident could still occur. Plan how to respond to a cyber incident, including communicating with affected parties and regulators.
6. Stay current with advice and practices from Government and industry bodies looking at cyber security issues and use the tools they make available.
For more information on cyber security issues, please call your usual Lane Neave contact or speak to Graeme Crombie a partner in our technology law team.
Disclaimer: The content of these articles are general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.