Swimming with the sharks - Board accountability in a cyber-hostile world - Infrastructure Blog | Deloitte Australia has been saved
Limited functionality available
Based on an interview with Theo Psychogios, Financial Advisory Partner and Ben Davis, Security of Critical Infrastructure Principal.
Imagine waking up on Saturday morning, 5 June, and looking forward to a relaxing weekend. You turn your mobile on, and urgent texts instantly grab your attention. You’re suddenly wide awake, heart pounding – and in dreadful anticipation, you open the link to the latest media headline about your company:
“Hackers breached Colonial Pipeline using compromised password.”
Not only did this recent attack on critical infrastructure take down the largest fuel pipeline in the USA for the first time in its 57-year history – it led to a ripple effect of impacts, including gasoline shortages across the East Coast, sudden spiked prices, long gas station queues, and a US$4.4 million hacker ransom to boot. It also kept the spotlight on insufficient cyber security measures that have left Colonial facing at least two class actions.
Like sharks, cyber hackers lurk in the shadows waiting to strike
For organisations, we've reached a tipping point where the prospect of dealing with a cyber-attack isn’t a matter of if, but when. It’s time to have some uncomfortable, but ultimately constructive, conversations at Board level to truly understand the challenging environment businesses and governments operate in.
Colonial Pipeline is just one recent example. There are many more, like this one:
“Hackers demand $92m in bitcoin for data stolen during attack on US IT company Kaseya.”
This ‘gargantuan’ cyber-attack affected 1,000 companies that relied on the IT services provided by Kaseya. All over the world, there will be many more attacks. And more often, quickly, and devastating.
So, are you ready for an (un)expected attack?
Here in Australia, our Commonwealth Government is reforming its Security of Critical Infrastructure Act (SOCI). Why? Because the nature of threats to our national critical infrastructure are broader than before, and the likelihood of further attacks is reasonably foreseeable. As far as the Commonwealth is concerned, Boards and Directors need to prepare for material risks, and avoid or minimise their impact.
The revised Act has resulted in interesting tension: between the Government’s good intentions to protect our economic and social scaffolding – by holding infrastructure stakeholders accountable through new due diligence, risk mitigation and governance obligations; and murmurings in the business world that the new legislation is too complex, onerous and costly to comply with.
Theo Psychogios, Financial Advisory Partner, explains that his conversations with Chairs and Non Executives about this hot topic focus on changing perceptions; from avoiding short term ‘pain and costs’, to deciding to make investments now for a stable future with no nasty surprises.
“Historically, conversations about cyber and cyber threats have been about just that; now they’ve expanded to become much more holistic, because their reach is extensive – from compromised supply chains, to technology assets, infrastructure, operations and IT. The nature of cyber-attacks has also diversified, making organisations’ preparedness more important than ever,” says Theo.
Ben Davis, Security of Critical Infrastructure Principal, agrees. “We know the legislation is changing, and we know why. The Commonwealth has provided a clear direction, but it’s also creating grey areas that organisations will need to traverse. We need to look more closely at the roles and fiduciary responsibilities of Board Directors. Energy, water, gas, transport – these are all delivered through critical infrastructure assets that millions of Australians rely on every day. And Directors have an implicit obligation to look at all the risks that could affect their ability to operate.
“Boards are becoming increasingly liable for not having the right mechanisms in place to protect against a host of potential threats. Directors are expected to take responsibility. Increasingly, we’re talking to Boards about expecting – and anticipating – cyber-attacks and their (too often) detrimental domino effects,” says Ben.
We need to understand what’s truly expected of Boards and Directors
We need to have deep, uncomfortable conversations with Board members to explore these sensitive matters relatively quickly, as legislation is only going to ramp up here and overseas to make sure corporates are taking their security responsibilities seriously.
Ben adds, “SOCI is, or should be, a catalyst for decisive action here in Australia.
“The requirement for ‘reasonableness in minimising or eliminating material risks’ significantly raises expectations on Directors’ due care and diligence in exercising their powers and discharging their duties. Boards need to understand their roles in protecting critical infrastructure assets, and they need to act now because it’s in everyone’s best interests to do so. Let’s not leave it too late. Don't get caught out by inaction. Respond decisively to protect your organisation and your own personal exposure.”
Theo concludes, “Short term investments in the right security frameworks and measures will pay off in the long term because they’ll make it so much harder for adversaries to devastate hundreds of companies, thousands of people, and everyday lives downstream. Let’s avoid complacency and make sure leaders realise that being proactive now will create lasting value. This is not a cost line item. When corporates have security measures in place, they can have more confident conversations with suppliers, customers, investors… it’s about changing the game, rather than letting these cyber sharks pounce whenever they want to.”
It’s time for Boards to develop an even deeper understanding of the nature and vast extents of threats their businesses face – and prepare accordingly. This is about much more than just cyber-attacks, which are bad enough. This is about making sure an entire sector, or community, or other critical infrastructure doesn’t come to a standstill.
Uncomfortable conversations and tricky questions are just the start.
For example, how long could you survive if your business was attacked, or your supply chain was compromised? Have you identified all hazards across your business with controls to reasonably minimise or eliminate any material risks? Do you understand how your director duties are evolving in relation to the need for increased business and cyber resilience?
Are you ready to stop the sharks from attacking not just your organisation, but your entire network? It’s not easy, but it’s critical to your business, our economy and society. We think planning and action is reasonable in the current environment; don’t you?
Find out more about Deloitte’s view on critical infrastructure.
Theo has experience providing economic, policy, and commercial advice to public sector organisations and the private sector entities they engage with, particularly in the assessment and review of how government services can be delivered and the assessment, review and development of economic and social infrastructure. Theo’s primary focus is assisting clients assess the merits and value proposition of transformative urban renewal, service delivery reform, and major infrastructure investments.
The Federal Government’s 2020 Cyber Security Strategy includes significant regulatory reforms that compel critical infrastructure stakeholders to uplift the security and resilience of their assets through more extensive due diligence, risk mitigation and governance.