Our Digital Governance, Privacy and Cyber team provides our cyber breach response team with assistance before and after a cyber event occurs.
Meeting evolving regulatory requirements
Cyber security is becoming an increasingly regulated area as well as a director's duty.
During a cyber event, we assist businesses with their reporting obligations to the OAIC under the mandatory notification of data breach scheme and facilitate ongoing communications with the OAIC, particularly in light of the new investigatory powers granted to the Commissioner.
We also work with our banking and finance team who advise on cybersecurity and information security obligations imposed under CPS 234 and CPS 230 prudential requirements for prudential regulated entities such as banks, insurers, funds and payment system providers. The regulatory impact of these prudential standards is significant and these APRA regulated entities will soon be required to comply with CPS 230 on Operational Risk Management. Further judicial consideration on the statutory obligations of AFS licence holders under the Corporations Act
in respect of cybersecurity has been the subject of detailed guidance in the cyber security prosecution ASIC v RI Advice
 FCA 496.
Preparation is key
The preparation for a cyber event comes in two forms.
The first is to look at the response to an actual cyber event. We work with businesses on continuity, disaster recovery and cyber security plans to mitigate the impact of security breaches and to help comply with legislative reporting obligations.
The second form is to ensure the business has policies and practices in place covering privacy, data protection, document source audit, and data retention and destruction. By controlling the type, storage and destruction of information, any data breach can be controlled and limited in nature.
- Acting as cyber incident responders for over 100 cyber events since 1 January 2022 on instructions from cyber risk insurers
- Acting for an entity impacted by the Frontier Data Breach
- Acting in multiple ransomware attacks, including instances where ransom was paid under controlled circumstances
- Advising a national real estate agency as a result of an employee opening malware
- Preparing suites of documents for privacy, data protection, document audits and document retention
- Advising schools on a range of privacy and data governance issues including student privacy, parent WhatsApp groups and information decision trees
- Acting on a significant data breach of an IT company specialising in electronic document, data and drawing management.