Introduction (00:28) You're listening to KBKast, Cyber Security podcast for all executives cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host. Karissa Breen. Karissa Breen (00:43) Joining me today is Nicholas Boyle, who's a partner at DLA Piper. Today we're talking about some of the concerns directors have when it comes to cyber risk from a legal perspective. So, Nick, thanks for joining. It's wonderful to have you here to get your perspective from, like I said, a legal perspective. Nicholas Boyle (01:01) Well, thanks very much for having me, Karissa. I'm glad to be on the show. Karissa Breen (01:04) Now, I want to start with directors. Now, when you and I spoke originally and, I mean, there's a few things that's happened since you and I have spoken anyway in the market, which I'm sure we'll get into, but do you believe they know what cyber risk really means to them? Nicholas Boyle (01:21) And that's a really interesting question, Karissa. I mean, I think, as you say, there's been a lot of media attention on cyber issues over the last three or four weeks, particularly since we've had the Optus data breach. And then in the wake of that has been sort of at least three or four other fairly high profile ones. The Medi Bank data breaches happened over the last few days and is now sort of really reaching a crescendo as well, with some ransom demand allegedly being made against mediaeval. So there's a lot of coverage of this, there's a lot of talk about what companies should be doing. And when you're thinking about directors. I think there is an increasing focus in this area and has really been probably over the last six or seven years on the fact that as we move into a digital economy and have digital transformation of businesses. Data and cyber security and are kind of really key risks and issues within all types of businesses. It's not just the traditional kind of entities who you would think might be subject to kind of fraud attacks. So the banks and other people controlling financial information. Nicholas Boyle (02:36) But really kind of across the board. If you're a supermarket chain like Woolworths who have had their own data breach in the last couple of weeks, if you're a provider of kind of critical infrastructure like a power company or supplier of water or other sort of essential services, companies, directors, executives and the public are just more increasingly aware of these issues. And one thing maybe to cover that off is back in 2015, ASIC so, the Australian Security and Investments Commission released a report called Report 429 into Cyber Resilience, and at that time, AThe sort of gave their views and guidance on the sorts of issues relating to cyber and data that particularly should be thinking about. They made reference to the fact that in discharging their directors duties under the Corporations Act needed to take into account cyber risks and cyber issues. So I feel like it's been sort of understood for a while that these were issues that directors needed to be thinking about. There probably is an element where, although they're aware that these are issues, have directors really wrap their heads around what that means in Practise, what sorts of things their executive teams and the companies that they sit on the boards or should be doing to manage these things? Nicholas Boyle (04:02) I think they understand it at a theoretical level, but some of that practical sort of day to day issues kind of still being better understood over time. Karissa Breen (04:15) Yeah, great point. So as you were speaking, what was coming to my mind is going back to the question of do you think directors know what cyber risk is? And, like, you just sort of answered their nick is the example that came to my mind. And it's terrible, but back in the day, it was like, oh, going out in the sun is bad for you, but now it's like, oh, like, going out in the sun is really bad for you because of, like, skin cancer, especially in Australia and all these types of things. So it's like going back to you, theoretically, people like, oh, it's bad for you, but it's like, practically it's like, well, these are really the ramifications. So how do we get to the point where the directors in theory understand, I've got to pay more attention. I've got to understand it. How do they push past to understanding the practicality of how these things work? From your experience? Nicholas Boyle (04:59) That's a really good question about how do you move from sort of theory into Practise and how do you kind of understand, not just in a high level conceptual way, that there are these things called cyber risks, but what steps should you actually be taking to kind of manage those? That's an interesting one because I think if you probably looked at the demographic of directors in Australia, it's probably skewing towards an older demographic and people who maybe haven't sort of grown up with technology in the same way that sort of Gen Y and maybe even Gen X have. And so perhaps they're sort of just disadvantaged by the fact that they kind of haven't worked with technology their entire working life has sort of come more partway through their working life. So their base level of understanding and working knowledge of technology is slightly lower. So I think there's an element there where there's a need to kind of educate directors and boards and probably even senior execs outside of maybe technology functions on some of these cyber risks and have more of an open discussion about what these issues are to bring people up to speed, and I think you're seeing more of that now. Nicholas Boyle (06:27) I know the Australian Institute of Company Directors is actually launching a set of cyber governance cybercurity principles just next week, actually. And so you can see that already I think there's been more of a focus within some of these professional directors groups within Cars corporates more generally, about upskilling boards. And I think you've also seen some commentary from the ASX and sort of leading directors that they actually want people with more technology experience to kind of come on to boards to bring some of that experience to bear. Obviously, I'm sort of coming at this from a legal perspective, and being a technology lawyer and having worked on technology projects and privacy and data projects, I have a probably better understanding than many of these types of issues. But I'm by no means a technologist and don't necessarily understand all the technical and technology aspects of how you actually go about mitigating all these things. But just to be able to have a level of understanding, to be able to ask some of the right questions, which I think is a key kind of responsibility, and part of the role of a director is to ask questions about what are you doing, is there anything more we could be doing? Nicholas Boyle (07:44) It's not necessarily that directors have to have the answers to these things, but they at least need to know what sorts of questions to ask. I guess there's probably without having enough information, it's difficult to even be able to know what questions you should be asking. Karissa Breen (08:01) Yeah, great observation. I mean, there's so many questions that I have for you. Okay, now, you mentioned before the sort of calibre of people that are at these levels at the moment. Would you say that the calibre of people are aware that perhaps slightly disadvantaged? You think they are aware of that and say, okay, well, now I've got to consult with someone like Nick Boyle, who is a partner at Delhi Piper to get his thoughts from a legal perspective? Or do you think that perhaps they're like, no, I sort of know it all, I've been in the game for 60 years. Do you have any sort of insight on that? Nicholas Boyle (08:34) I don't sort of have too much involvement with boards of the clients that I work with. But certainly from some of the people who I know have served on boards and from some of the work that I've done. I think certainly. As I said over the last sort of seven to ten years. I think boards are more and more aware that they're not experts in this area. That these are emerging risks and issues and are really seeking more information from the executive teams of the company's boards on which they sit to say. Come and present to us and explain to us what you're doing about these things. And they're trying to upskill and they're asking these questions and they're trying to wrap their heads around these things. I think boards are constantly, over the last ten years, sort of been saying cyber is in their top two or three kind of risk issues. So they've had an awareness. I think they're working towards filling in those gaps in understanding by getting more information and trying to get experts in to present to them on these things. And I think perhaps the challenges just being maybe the pace of change is so great. Nicholas Boyle (09:49) And with all the other challenges that we've through the Pandemic, we've had the Banking Roar Commission, we've had other governance issues more broadly, different parts of the economy. So I think there's a whole range of issues that boards of directors have been working through. Cyber is just one of them. And how do they kind of manage all of those competing priorities? I think trying to get up that learning curve, and I think they've done a reasonable job. But obviously that's a continuing education piece to kind of constantly get information about what's happening, bring themselves up to speed, think about these issues, not just through the lens of what sort of a technology response or how do we avoid it, because that's sort of not really achievable. But also, what are we doing as an organisation? If we're affected by a Cyber incident, how do we respond to that so that we can hold the company in the best light? And, I mean, to my mind, that's kind of probably one of the learnings from the Optus data breach seems to be that the way in which public relations, media communications, government engagement aspect of that data incident was handled probably wasn't as good as it could have been, and that's resulted probably in more adverse publicity than it perhaps needed to. Nicholas Boyle (11:13) And if you compare and contrast that with the Medibank one, which is possibly kind of even sort of more serious in the sense that Medibank obviously is a health insurer, holds at least some health information, there hasn't been the same level of appropriate in the media about that. And Medibank's response to it is what was directed at Optus. And I guess you can probably draw some inferences from that. I don't have any inside information, but it's just noticeable as an outsider, seeing the contrast and how that's playing out in the public sphere. Karissa Breen (11:49) Yeah, you're absolutely right. So going back to just the board of directors for a second, because this is really interesting. Now, in security, what I often hear is, I'm a size. Oh, and I don't get the buy in. I feel like I should have or I could have. Now, from your experience, if you have any insight, when you're looking at these calibre of people, board of directors, for example, or senior executives, who do they sort of like, lean to in terms of confidence? Are they leaning on their size or are they leaning on their CIO because often I hear that that's not the case. Do you have any insight on that? Are they speaking to people more like you? From a legal perspective? Nicholas Boyle (12:26) I think it really kind of depends on the organisation and I think there's different levels of maturity and probably sophistication across different sectors of the economy in terms of sort of cyber governance. Cyber awareness. And therefore the extent to which they kind of looked at the likes of the CIO or the CISO to kind of get intelligence about what's happening. What they should be doing. Where that person sits within the hierarchy of the leadership team. I think if you're talking about the outset, the banks and maybe some of the retailers, people who traditionally have kind of sat on quite a lot of personal information, potentially quite sensitive, I think those organisations probably have a high level of awareness of some of these issues and are more focused on it. If you're talking about someone who is perhaps an infrastructure operator. Is not really holding a lot of personal information. But nevertheless is facing cyber risks because of the criticality of the assets that they operate and are responsible for. They're possibly thinking about it in a slightly different way and maybe they're the technology teams. You know. CIO. CISO. Perhaps not seen as such senior members of the team. Nicholas Boyle (13:53) And I think that is sort of changing whether or not that's going to up to where it needs to be at the moment, I think kind of really depends upon which organisation you're talking about. But I think that's a really valid question about senior leaders. Are they giving those senior technology leaders enough empowerment, enough resources, enough time to be able to get on top of what they need to get on top of? And I think they have to look at it. You have to look at it through the lens of if you have a cyber incident and you're not prepared, then that could potentially be the end of your whole business. So I think you really have to elevate this up to being a pretty serious and significant part of the investment in the business and therefore those people really need to kind of be at the forefront of discussions about how the organisation moves forward. Because if you let that sort of language, and you can see that a little bit with Woolworths in the My Deal data breach, where Woolworths have acknowledged that when they purchased it, there was room for improvement on that It front, you can see that that then exposes you to risk that you might not otherwise have to have been exposed to. Karissa Breen (15:16) So would you say historically CISO sizes or anyone in the tech sphere just sort of been relegated to the kids table a little bit, rather than sitting at the table with the adults, but now they're getting the respect that they probably need right, in order to listen. But he is the It guy. So do you think there's been a bit of that tradition, like, oh, we'll just say, don't worry about what the It guy thinks, but now it's a very different conversation? Nicholas Boyle (15:44) I think that's right, but I think that's been a journey that we've been on for a while and I think if you consider the digital transformation of businesses sort of moving to ecommerce and online ways of engagement with customers, a lot of that was accelerated by the Pandemic. But even sort of the iPhone, right, I think that was almost a watershed moment. So kind of since the late Naughty's, you've kind of had organisations trying to push stuff online, have much more engaging digital experiences. I think when you saw that shift to digital. You saw CIOs people like Michael Hart from CBA. And that's going back quite a bit. But people like that kind of where elevated up and kind of given. I guess. More visibility within the organisation. Potentially more resources. More focus and more of a voice. Because it was acknowledged that digital and technology was the way forward and that was an area for investment and you need to be mindful of that. And so therefore, I think CIOs have probably been given a greater voice and really elevated within the organisation for probably a longer period of time. I think that CISO role and many organisations maybe don't sort of have a separate infosec kind of person, maybe they kind of sit beneath the CIO and that's not necessarily right or wrong, that's just sort of an observation. Nicholas Boyle (17:14) But I think having that information security kind of component as a core part of sort of that decisionmaking group and that they have a voice, I think it's going to become increasingly important because there's more and more regulation in this space. You can't do this without that input, you can't respond to those risks and issues without experts in this space. So I definitely think you're going to see them take on a more significant role within organisations. Karissa Breen (17:47) Yeah, most definitely. I think it's a convoluted space. There's complexity to it as well, so you definitely need someone who is an experience in that field. So I want to switch gears for a second. You touched a little bit today, Nick, around the most recent data breaches, and I'm curious, really to know, would you say since like, last few weeks in particular, that people are pretty worried about what's happening? Are they calling you again saying, like, am I covered from a legal perspective? What does this look like for me? I understand that you can't go into specifics, but you think, like, people are really checking their backs now, ever since all the stuff's been coming out in the news. Nicholas Boyle (18:23) It's interesting, I've sort of been talking to a number of clients over the last month or so and had a number of people trying to reach out to say, hey, senior leadership team, our boards are kind of interested in these things. We would love to kind of have a conversation with you about what you're seeing. What are the sorts of risks and issues we should be thinking about off the back of the optus data breach? The Attorney General, Mark Dreyfus, came out and said that they were sort of accelerating the government was accelerating the review of the Privacy Acts, that people kind of breen to understand what that means. So I think there's definitely been an uplift in people kind of looking at these issues and thinking, gee, are we prepared? What have we been doing about this? If something like that happened to us, how would we respond? Do we have the right processes and procedures in place? And so I think, yeah, there's definitely a heightened focus amongst my clients in on these things. Karissa Breen (19:25) So would you say people aren't prepared? Nicholas Boyle (19:28) I think when the Notifiable data breach regime was introduced in February 2018, so that's the regime under the Privacy Act for data breaches affecting personal information, I think at that time, a lot of people sort of put in place processes and procedures for responding to personal data breaches. I think that concept of having processes and procedures about how you respond to kind of a cyber security to incident more broadly, what happened if you had a ransomware attack and all your it was taken offline, how do you sort of manage those systems? I think there's some organisations that have got things in place around that, others who probably have only got that sort of data breach plan. I think a lot of people have plans, but I'm not sure how frequently they test them. So I'm not sure that it's that people aren't prepared at all. I suspect it's the case that their preparation is sort of okay, but is it best in class or where it should be? I think the answers probably could be better. I think even the optus response in some respects tends to suggest that even someone as big as optus had plans, but maybe they weren't as familiar with them as they should have been, because if that was sort of a Roll Gold implementation of them, then I'll probably be more troubled by that. Karissa Breen (21:10) So, yeah, totally hear what you're saying. So we just focus on the optus response. Now, as you've alluded to today, people are a bit outraged. From your perspective, working in your Practise, what do you think was probably the most alarming thing? I've had multiple stories. I've interviewed people at length about the optus breach. I've spoken to a number of people in the industry, as you probably would expect. I think one of the things that got to people was they didn't notify their customers first, but then optus said, well, we went to the media first, which was the best way to get the message out. But what happens is that message easily turns into Chinese whispers across media outlets. So do you have any insight on that? Because I'm curious to hear your thoughts with your background and your lens. Nicholas Boyle (21:59) Yeah, and I've worked with a number of clients on responding to data breaches and sometimes where the breaches actually affected one of their suppliers of an It system that holds some of their customer data and they're sort of therefore reliant on the information they're getting from their suppliers about what's happened. They're trying to understand what has happened and then translate that and communicate that to their customers. And they don't necessarily have all the information themselves. And I think one of the challenges that you have in dealing with any cyber incident is they're not necessarily quick to unpick or unravel. They don't necessarily give a definitive, clear answer in terms of those sort of forensic analysis as to what happened or who did it or when. And given the sort of complexities of some of these attacks, it's not something that necessarily you can communicate all that clearly to affected individuals either. I'm saying I look at the optus response and think, gee, there's probably some room for improvement in terms of how it was communicated. I think these are really difficult to manage and communicate clearly to people. But having said that, I think you're right that the strategy of going to the media first before notifying individuals, and possibly the messaging, even when it was communicated, was not as clear as it could have been meant that it caused more angst and upset than it should have done. Nicholas Boyle (24:02) It's one thing to kind of have a comms plan and an incident response plan, but has anyone practised it? Have you kind of war gamed it, workshopped it to understand? Does that sort of tick all the boxes or what are the possible pitfalls? I wonder whether this was effectively the first time it ever actually been tested or implemented. Sort of live in the field and anyone would know that that's a risky way to go about doing things. Karissa Breen (24:32) Yeah, I think you're absolutely right in looking at it from both sides, having empathy for optus and looking at from the consumer lens, you think as well. There was an interview, I listened to the twoGB one, and there was the corporate affairs lady on the phone and it was obvious that she was bound by legal to be like, there's only certain things I can say which makes sense, because you are right, when you're looking at a cyber breach, they have to do digital forensics, like, it's not going to happen overnight. It's very different to a shop that got robbed because a brick was thrown at the window and it was smashed and that's how I got in. It's pretty easy to understand how that happened, but when it comes to cyber, you don't want to say too much too early in case that's wrong. So do you think that as well, that the corporate affairs lady that I wouldn't say she was sort of walked into a trap. But it's hard because she's probably got legal breathing down her neck, saying there could be some legal complications in this. But also, from a PR corporate affairs perspective, she has to sort of cater to the CEO corporate affairs legal as well as the size. Karissa Breen (25:38) So she had a lot of people internally, in terms of stakeholder management, to sort of ensure that she said the right thing without getting into trouble. How do you sort of handle that? Because when legal, as people like you on the phone sort of saying, like, you can't say this, you can't say that, you think that, then things start to become misconstrued and then as a result, you don't get any information because they're so petrified of saying something wrong or putting a foot wrong. Nicholas Boyle (26:02) I think that's definitely one of the risks in having too many people involved and having potentially too legalistic and approach to the way in which you communicate about these things. Because you're right. It ends up sounding a bit like corporate double speak where you get a lot of platitudes or sort of half answers and it almost sounds like a politician attempting to kind of evade a question. And people don't generally respond all that well to that style of engagement because they think, what is it that you're hiding? It doesn't sound as though you're being totally truthful. And sometimes it's a fickle balance to strike between being open and transparent to the extent that you can be, while also not prejudicing your legal position or giving away potentially important details that relate to an ongoing police or criminal investigation, which seems to be kind of like the case. On the basis that optics are alleging it was a malicious attack with sort of a threat actor involved, it's, again, not an easy one to juggle, but it sort of comes across as, again, perhaps that hadn't been workshopped or thought through as well as it could have been and therefore it's kind of landed a bit flat once it's actually gone to air. Karissa Breen (27:37) Yeah, I totally hear what you're saying. So the other thing I'd like to get your opinion on as well as you are quite aware of, is the recent Uber breach. The size of was convicted of federal charges due to many felonies. He committed trebly. From my understanding, he sort of hid the breach. But then in the media they mentioned like, personal liability, which is even more pressure on like, security executives. So do you believe personal liability in regards to a cyber incident like Uber, for example, could roll out here in Australia? Nicholas Boyle (28:08) Yeah. And there's kind of a couple of interesting things to talk about there. Karissa. Because I mentioned in response to the first question about directors aware of cyber risks and what does that mean to them and their organisations. There are potentially quite significant penalties under the Corporation's Act for directors where they don't meet their directors duties and those include being required to pay compensation to the company. There are civil penalties as well. You can even be disqualified from acting as a company director. And then there's also potentially imprisonment or the imposition of a fine if a director's been reckless or intentionally dishonest in committing a breach of their directors duties. But that's sort of more on the director side. When you come then to sort of the executive side of people who actually work for and in the company day to day. That's an interesting question about could there be personal criminal liability for those individuals. I think already if there are frauds committed in connection with the covering up of a cyber incident, then today you could potentially be criminally liable for some of those types of things. There's obviously been quite a bit of talk in recent times too about what are the legal requirements if you were to pay a ransom to someone who had perpetrated a cyber attack against your company, and what's the potential liability for those people who sort of authorised that payment? Nicholas Boyle (29:56) That's sort of an interesting question and kind of an emerging issue as well, and particularly when you take into account things like counterterrorism financing and anti money laundering laws. But I mean, it's difficult to say where we might get to on that. I personally think one of the challenges in the cyberspace at the moment is that there's actually so much legislation and it's so dispersed across a range of different bits of legislation. That when even lawyers are struggling to identify and understand what all these requirements are. How does the ordinary person who's sort of being a lawyer or being sort of familiar with laws is not their day job. It's not their primary function. How are they expected to understand these things now? Ignorance is no defence, but it makes it really difficult for people to understand. And I'm not sure whether or not imposing criminal liability on individuals and creating a whole raft new offences is actually going to really address some of these issues. I think having better education for boards, having greater awareness campaigns kind of more broadly across the community about these risks and issues, incentivizing people and organisations to kind of put in place appropriate cyber security processes, policies, procedures, etc. Nicholas Boyle (31:28) That's probably going to be more effective than threatening people with jail time, I think. Karissa Breen (31:34) Did you say hypothetically, people are threatened with jail time and fines and all these sorts of things. Don't you think that that will do a disservice and perhaps discourage people for wanting to take that role? Like, you know, it may not be worth it because I think of, and you and I have spoken about this, just a hypothetical, okay, we triple your wage or whatever, you're on a million bucks, but you've got all of this stuff hanging over your head that makes it sort of counterintuitive money risk versus reward. But then. Also, and I think you and I spoke about before is well before the interview, that you're then going to have that hanging over your heads. Oh, well, you're the guy that was leading cyber security company at Uber and then you got fired and you have all these public liability charges and jail time and fines against your name so you're thinking about the long term impact down the track. What are your thoughts on that? Nicholas Boyle (32:26) I think that's a very valid consideration, Karissa, that if you make it so potentially risky and so unfavourable in the event of a mistake happening, then why would people want to take this up? To be honest, one of the, I think, critiques that you see of various people and I won't have to take a stand on it necessarily, but there's a lot of discussion about liability for directors in Australia and potentially personal liability and the fact that directors and officers insurance is really hard to get in Australia. It's quite expensive, there are various carbon. You can imagine that cyber will be one of the cars probably now in every new DNA policy that's written. But you also have a chilling effect then too, that people won't be directors on companies because the risk outweighs the reward and people just go, I'd rather do something else. I think that's a very real risk and a very real consideration that people should take into account and as I said, I think you have to think carefully about the policy objectives in these types of areas and not be too knee jerk or populist in the response. And that's not to say that we shouldn't be thinking about legislative or regulatory change, but that has to be considered, take into account both the advantages and the disadvantages of making any such changes and then on balance, working out whether or not that's the right path forward. Nicholas Boyle (34:10) Because as I said, for a knee jerk reactions, not in anyone's interests in my view it goes back to your. Karissa Breen (34:17) Comment before around theoretical and then into the practical. So like, theoretically it makes sense because it's like, oh, we've got all of these regulations and we've got all these external auditors looking at companies left, right and centre. But then when you get to the practicality of it's like, well, who would want to take that job? The money just wouldn't be worth it for a lot of people it's like, well, no, I'd rather just not do that job and not have the risk on my head every day. Nicholas Boyle (34:39) Yeah, and I mean that dichotomy between the theoretical and the practical is evident right across the roar in this cyberspace because that's true of that other point that I made about people have plans and processes sort of written down on paper or digitally, but how often do people actually get those out? Test them, see if they work, do they run workshops with them so people understand them? And if it's all well and good to kind of have these things up your sleeve, but if they've never actually been tried and tested, then they're not necessarily effective. Karissa Breen (35:18) So you mentioned before that even as a lawyer and lawyers that are out there, regulation is convoluted, it's hard to piece it all together. How can people make sense of this from your opinion? Nicholas Boyle (35:33) Yeah, that's the thing that I think a lot of people are struggling with at the moment, and I think a lot of lawyers are nervous about what the government might do in the wake of particularly the optus breach and whether or not quick reactions in a legislative sense are going to make things better or worse. Because just adding yet more legislation is not necessarily the answer, in my view, because I think when people don't necessarily even understand and are struggling to comprehend everything that's already there, adding yet more legislation to the pile is potentially problematic, I think, in terms of how do people go about understanding and navigating these issues? Again, that's a really interesting question. We're seeing our clients now trying to sort of map these requirements on a regular basis to see as changes come through, what are the new requirements that are imposed on them, being able to kind of track these different requirements, understand what that means. But that's a pretty heavy investment and it sort of disproportionately affects, I guess, small or medium enterprises because they just don't have the time, the resources, the financial, wherewithal, you know, to be able to engage lawyers or internal teams, to be able to come and navigate all this complexity. Nicholas Boyle (37:13) So it's a difficult challenge and it's one where I don't think there's a good answer just at the moment about how to go about those things. It kind of depends upon which sectors you operate in, but certainly the Security of Critical Infrastructure Act, which has been amended a couple of times over the last couple of years to kind of greatly increase the regulation from a cyber security perspective on operators of critical infrastructure assets in Australia. And it doesn't just affect them either, it affects some of their suppliers of data processing services, et cetera. It's a pretty complicated piece of legislation, pretty wide ranging, and as I sort of alluded to at the outset, applies to people in sectors who probably traditionally have not necessarily had cyber at the top of their sort of risk governance framework and all of a sudden they're trying to pick up and respond to a regime in an area that's slightly foreign to them. So I think there's a lot of work happening at the moment in the cyber areas just because the pace of change has been so huge and it's so wide ranging, people are still trying to wrap their head around these things and I think that the change is going to just keep coming because, as I said, there's potential privacy changes coming down the pipe. Nicholas Boyle (38:48) I think with the amount of threat activity at the moment, you can expect that there'll be sort of new threats emerging and possibly new bits of legislation coming out. So it just feels like for people working in this place, it's like drinking out of a fire hose at the moment. Karissa Breen (39:07) So going back to comment before around the wake of the optus breach, which you know that it's spurred on the cyber reforms, if you've been following that, so now that's going to add more regulation. So what are your thoughts on that? Nicholas Boyle (39:24) I think it's going to be interesting to see if there is a change to the legislation off the back of the office bridge. There's been a lot written about it. I talked to another friend who's a lawyer about this the other day and we were sort of laughing a little bit about the extent to which lawyers have been out there sort of saying, oh, this is going to happen, that's going to happen, should we increase penalties under the Privacy Act, etcetera, etcetera. And to my mind, as I said, there's so much out there already, even those in the legal profession are struggling to wrap their heads around it and put it all together and map it out. How does anyone else more generally identify what these different requirements are and put all of that together and respond to that? So I think just adding more legislation and more regulation to cover off perceived weaknesses in the current regime without sort of going back and looking at the whole framework in a more holistic sense and understanding where we're trying to get to what risks, what ills we're trying to cover and address is not the right way to go about it. Nicholas Boyle (40:40) I think it's a broader exercise, a broader activity about looking at all of these laws, maybe consolidating them in some way and refreshing a whole bunch of things to put it into a different framework where it's a bit more easily understood, be more easily identified and that might be better bet and that's a longer term project for sure. But as I said, knee jerk reactions to my mind are possibly going to do more harm than good at this stage. Karissa Breen (41:13) So just sort of touching on the cyber reforms a little bit more because I'm curious, if the government didn't come out and say we're going to do something, keeper would be outraged. But then to your point around the knee jerk reaction of just adding more complexity to already a complex environment, where do you think this will sort of land? Do you think if the government's like, oh okay, slap on the raft of it. I felt like they had to do something or else people would be really losing it due to the fidelity of the information that was breached, but then also the amount of people that were breached as well. So do you think that this is going to happen or we don't know. It's still up with discussion. Nicholas Boyle (41:51) The government haven't actually introduced legislation to amend the Privacy Act as yet. Other than that. There's a bill in Draught form at the moment to amend some of the legislation to enable some of this data sharing between the telcos and the banks. In part to kind of address some of these issues so that there's disclosure of information which might make it easier for banks and telcos to share information in such a way that they can help protect consumers against phishing attacks and those sorts of things. But in terms of making other changes to increase penalties or make privacy and cyber laws more onerous for companies, I think you're right that there's an element where the government needed to be seen to be acting because of the nature of the information, how much of it there was, and possibly to the way in which optus responded to it. But equally, I think that needs to still go through a process of actually understanding what went wrong, buying really what it was that the public and the government had issues with in terms of how optus responded and handled the incident, and then Taylor legislation and regulation to address those perceived gaps and weaknesses. Nicholas Boyle (43:32) So I think any response to any of this is going to take time. Legislative reforms in Australia typically are not quick processes because there's various rounds of consultation, there's discussions, there's discussion draughts, and it kind of has to go to parliament, et cetera, et cetera. And there has been, sort of under the previous government, a discussion paper on the Privacy Act and that's sort of been out in the wild for a while and there's been a couple of rounds of discussions about the Privacy Act and then I think between COVID and various other legislative priorities, that probably hasn't moved as quickly as people would have hoped. But I still don't think that that means we can turn around and expect something sort of in the first half of 2023 suspect we're probably at least twelve months away from kind of any meaningful sort of reforms being implemented. Karissa Breen (44:31) Yeah, that makes sense. Well, we probably don't want people to change legislation overnight, we do want them to take a measured approach rather to your point, a knee jerk reaction. So I think you're absolutely right. So in terms of any final thoughts or closing comments, nick, is there anything that you'd like to leave our audience with today? Nicholas Boyle (44:49) One thing that's really worth mentioning is that I think the courts are aware of the fact that there's no such thing as perfect cyber security was a decision earlier this ASEK and Ri Advice Group that was the case. Ri Advice Group was an AFS licence, an Australian financial services licensee that had a few cyber incidents as it took them to court on the basis that they hadn't complied with their conditions of their AFS licence. And it was ultimately found that they hadn't complied with those conditions because they kind of hadn't implemented an appropriately robust set cyber security measures. But the judge in that case acknowledged that it is not possible to reduce cyber security risk to zero. It is possible to materially reduce cyber security risk through adequate cybersecurity documentation and controls. So I think no one's expecting perfection. I think it's important that everyone acknowledges and understands that. And I always say to clients, it's not a matter of if, but when you're going to be the victim of some form of cyber attack. It doesn't necessarily have to be the scale of an optus type attack, but it would be something that even affects just a couple of users and they still have some credentials. Nicholas Boyle (46:19) But the thing is not the fact that it's happened, but how you respond to it and what measures you have in place to kind of be able to contain it as quickly as possible, deal with the consequences and then take the learnings from that so that hopefully in the future that's even less likely to occur and you can fix it moving forward. And so I would sort of urge everyone to approach cyber issues. Not as a case of you failed because something befell your organisation. But rather to use those opportunities as learnings. Acknowledge that it probably will happen to you at some point. And that you just need to be in the best position that you can be to deal with it in a way that means your organisation isn't too severely impacted. So that's definitely my takeaway from having worked in this space for a long time. Karissa Breen (47:17) Well, I think now's a good time to dust off your incident response plans, do some tabletop exercises, and hopefully this has encouraged people to look a bit closer and how they respond. So I really, really appreciate your time today, Nick, for your insights and for discussing things from a different lens. I think it's great to get people like you here on the show to hear from your point of view about maybe areas that we're missing in space. So thanks for coming on the show. Nicholas Boyle (47:44) Thanks so much for having me Karissa. I've really enjoyed it. Karissa Breen (47:46) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. Introduction (47:57) This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit merckseek.com to connect today. Karissa Breen (48:07) If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI dot digital. This podcast was brought to you by KB Dot Media, the voice of cyber.