Why are corporations rethinking their approach to cybersecurity?
Lisa Fitzgerald, Partner at Lander & Rodgers, dives into the recent Federal Court ruling on cyber practices before outlining just how inextricably linked technology is to the law.
For the first time ever, we saw the Federal Court deliver a ruling on cyber practices and financial services during a case against RI Advice Group. What does this mean for businesses in the finance sector, as well as more broadly?
That decision is important for a couple of reasons. It’s the first successful enforcement action brought by one of Australia’s corporate regulators, the Australian Securities and Investments Commission (ASIC), and the Federal Court’s first decision dealing expressly with cybersecurity practices in connection with an Australian financial services licence. It represents a call to action to Australian corporates to do more when it comes to building and maintaining their cybersecurity practices.
While this was an action brought by ASIC, it’s important to remember that other regulators exist that are also watching over corporates, and that’s due to the hybrid nature of our regulatory landscape. We have APRA, ASIC the ACCC and the OAIC – which is a privacy regulator – all watching over corporate Australia in relation to their cyber practices and how they relate to financial services obligations.
What does this mean for businesses today? I think it really just means that no business is going to be immune from potential investigations, audits or penalties in relation to their practices. Post the Hayne Royal Commission, enforcement action is likely to be on the rise across all of those regulators. And the biggest risk, of course, is multimillion-dollar fines and reputational damage.
In the case of financial penalties, for Section 912 of the Corporations Act, which was invoked in the RI Advice Group decision, the maximum penalty is the greater of $11.1 million, or three times the benefit obtained from the breach, or 10% of annual domestic turnover, capped at 2.5 million penalty units, which translates to $555 million. So it’s the sort of hit that can put an organisation out of business and something that needs to be factored into their everyday practices based on that risk alone.
What do you think the decision says about the importance of cybersecurity and regulation?
The biggest takeaway is that businesses have historically been complacent about cyber risks and cybersecurity. Over the past few years, there’s almost been a resignation about the inevitability of cyberattacks, so a reactive approach has been adopted by a lot of businesses – a “let’s wait and see what happens and then we’ll deal with it” approach.
The problem with that approach is that when a cyberattack does happen, the scale of inadequacies can be quite spectacular. It’s the sort of thing that will not only drain consumer and customer confidence, but it could also impact share price and all sorts of other value metrics when it comes to the consequences of a cyberattack.
A regulatory action can also be taken. So, I think that’s probably one of the key messages: being reactive is not going to cut it anymore.
In an article you recently published, you talk about ‘splitchain’ as a concept. Can you just explain what that means?
Splitchain is a concept designed to cure the misconception that blockchain exists outside or above the law. It’s something I use to demonstrate how blockchain use cases can be strengthened if you bring an inquiring legal mind to that commercialisation process.
I use the idea of a double helix when it comes to analysing different blockchain use cases and objectives. This helps distil not only the technological rules that might apply to automated transactions, but also the legal rules that might apply to fortify that blockchain use case. So it’s something like blockchain itself – conceptually complex – but that in and of itself needn’t be the reason we approach it with a non-inquiring mind.
The beauty of a splitchain analysis is to see how the law and technology can work together in a way that will achieve successful commercialisation, as opposed to simply adopting new technology blindly and hoping for the best, which can be your downfall.
In a traditional contract scenario, there is clear attribution around who signed and executed the contract. But with smart legal contracts, how do you actually ensure the person who enters into a contract is the actual person who is authorised to do so?
There aren’t really any frameworks or guidelines at the moment. In fact, it’s something that I’m working on with my law firm and a few legal technologists to try and solve.
We’re actually in the process of creating an NFT builder to help anyone who wants to launch an NFT project in a way that ensures those legal protections exist. We plan on using a very simple box-ticking approach where you can select the terms and conditions you want to apply to the project, and also have some sort of verification method in relation to the contracting parties.
Are there any industries or individual clients who are adopting the idea of smart legal contracts in their day-to-day practice?
I do have some corporate clients who are adopting smart legal contracts, but mostly for very simple and straightforward transactions – ones that don’t need negotiation or have a need for discretionary-type concepts like reasonable endeavours, which lawyers love to build into commercial agreements.
We are definitely seeing use cases for simple payment transactions, for example. But quite often it will just be the agreed method of performing certain transactions, as opposed to representing the whole relationship between parties.
Now that we have a Minister for Cyber Security, Clare O’Neill, do you think people should be even more on watch in terms of expectations and obligations around protecting data, people and business?
Absolutely. I think it’s a show of just how seriously the government is taking cybersecurity and it’s really a recognition of how fundamental technology and data are to doing business. It’s very symbolic indeed.
Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.