The good, the bad and the ugly: top 10 privacy and cyber issues and trends for 2022 and 2023

Alec Christie, Sian Pannach and Michael Zacharatos CLYDE & CO

Inside the June 2022 edition of the Financial Services Newsletter, three legal experts from Clyde & Co analyse the fast-moving developments in cybersecurity and privacy affecting the financial services industry.

Here, we present their top 10 predictions for cyber and privacy – the good, the bad, and the ugly – for 2022 and 2023. (Financial Services Newsletter subscribers can read the full article here.)

Top 10 Trends for cyber and privacy in 2022 and 2023

1. The government and regulators are not being subtle and further significant privacy and cyber developments are on the way
2. Unfortunately, ransomware is here to stay
3. Don’t forget, human nature is the biggest cyber threat
4. Cyber insurance is now essential for businesses . . . but will be more difficult and costly to obtain!
5. Workplace initiatives must contemplate privacy from the outset
6. Clean out data graveyards
7. The rise of biometric data in commercial products
8. A new dawn for directors’ personal liability in relation to cybersecurity
9. Direct action by victims of data breaches
10. Expanded critical infrastructure is a key focus

Trend 1: The government and regulators are not being subtle and further significant privacy and cyber developments are on the way

The past few years have seen the Office of the Australian Information Commissioner (OAIC) push for greater enforcement powers and receive increased government funding to enforce the Privacy Act 1988 (Cth) and yet it still does not seem to be enough to meet the demand.

In 2022, the government is pushing ahead with a review of the Privacy Act which, among other things, is expected to see higher penalties (confirmed), an expanded definition of personal information and also possibly the removal of the small business exemption (thereby capturing a much greater share of Australian businesses). The government is also pushing ahead with other privacy- and cyber-related laws (eg, including in relation to the digital identity regime and critical infrastructure legislation discussed below) and extending the Consumer Data Right (CDR) to other sectors, collectively imposing greater cyber and privacy obligations on specified sectors, activities and/or types of businesses. In 2021, the government also introduced further powers to take advantage of private sector data for national security purposes (ie, passing the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth) and establishing a facial recognition database)

The Australian Prudential Regulation Authority (APRA)’s Cyber Security Strategy for 2020 to 2024 introduces heightened accountability where regulated companies fail to meet their legally binding requirements under CPS 234. As a mandatory standard for APRA-regulated entities, CPS 234 requires organisations to uplift their information security capabilities to counter the evolving size and extent of the threat actors.

The key objective is to minimise both the likelihood and impact of information security/cyber incidents on the confidentiality and availability of information assets, including those information assets managed by related or third parties.

In 2022 and 2023, the government’s keen interest in cybersecurity will continue. Measures similar to those required in CPS 234 for financial services will continue to seep into critical infrastructure, the other CDR sectors (and eventually all sectors) and possibly be one of the surprise amendments to the Privacy Act arising from the current review.

Trend 2: Unfortunately, ransomware is here to stay

Ransomware attacks are still on the rise and will again be a feature of 2022, with ransomware gangs placing themselves as a dominant threat to all industries across the globe. In 2021, cybersecurity authorities observed a dramatic increase in ransomware attacks with record-annihilating statistics for technology companies experiencing a reported 2300% increase in the number of attacks.1 As cyber criminals continue to exploit organisations’ dependencies on online systems and hybrid working conditions in the COVID-19 WFH world, we predict that the current number and intensity of ransomware incidents will only continue to surge in 2022 and 2023.

There is a growing sophistication in ransomware tactics with criminal business models becoming more developed and far-reaching, including expanding their networks through “cybercriminal services-for-hire” or “cyber incidents as a service”. Freelancers can be hired to release sensitive data publicly on the dark web on command, often intentionally targeting insured businesses to demand greater payments. In Australia, in 2022, we will see increasing ransomware attacks on “popular” sectors such as healthcare, financial services, energy and higher education and research.

In response, government entities and large corporations will need to continue their considerable investments into their cybersecurity efforts, leaving underfunded small and medium-sized enterprises (SMEs) as ripe targets (or the “low hanging fruit”) for ransomware attacks in 2022.

Trend 3: Don’t forget, human nature is the biggest cyber threat

According to IBM, human error accounts for over 90% of all cybersecurity breaches (including ransomware) yet, in practice, it is one of the cheapest and most cost-efficient issues to remedy for companies.2 In its latest notifiable breach report (2021), the OAIC reported that 30% of all data breaches were caused by human error and another 30% of all malicious cyber incidents reported as the cause of data breaches were individuals falling prey to phishing.3 Common industries most affected by human error and phishing include health service providers, financial services including insurance, legal, accounting and management services and government agencies.4 A report by Infosec indicated that almost 97% of users cannot identify a phishing email while one in 25 people proceed to click on malicious emails and links.

With these statistics in mind (and the cost of the ransomware attacks that inevitably follow), in 2022, employee training is paramount and is the most important line of defence against these evolving cyber threats. Not only will training reduce company losses from incidents but, going forward, insurers will expect this as a necessary part of essential cyber safeguards (or hygiene) before issuing a cyber policy. Organisations should also take inventories of their data assets so that, should a 48 financial services newsletter June 2022 ransomware attack occur, it is clear what data has been exfiltrated, locked and is at risk.

Trend 4: Cyber insurance is now essential for businesses . . . but will be more difficult and costly to obtain!

With the exponential increase in cyber incidents year on year, it is no surprise that more and more businesses are investing in cyber insurance. Given the expectations for further increases in incidents in 2022 and beyond, failure to secure cyber insurance will soon put your business both in the minority and at significant risk.

Trend 5: Workplace initiatives must contemplate privacy from the outset

Workplaces necessarily collect certain amounts of personal information from employees, welcomed workplace initiatives such as diversity and inclusion. While well-intentioned, it’s important that businesses consider the potential privacy and cyber implications of these programs before they inadvertently cause harm.

Trend 6: Clean out data graveyards

Each year companies pour millions of dollars into acquiring data related to business operations and strategy without proper consideration of data management practices. This results in significant stockpiling of unused data repositories and subsequent maintenance costs.

Trend 7: The rise of biometric data in commercial products

Although biometric technology has rapidly gained the reputation of being effective, reliable and security-enabling, privacy and cyber concerns are growing about its use. The most significant privacy and cyber risk that biometric data poses is that its static nature means that once biometric data is compromised it will remain compromised.

Trend 8: A new dawn for directors’ personal liability in relation to cybersecurity

In 2022, there is renewed interest in a director’s duties as regards the cybersecurity of their companies and the potential for shareholder class actions. As, there is no doubt that, ensuring their companies have appropriate privacy and, in particular, cybersecurity risk management and measures are in place, is squarely part of the director’s duties.

Trend 9: Direct action by victims of data breaches

There is the potential risk of a major data breach creating an aggrieved class of litigants in 2022. The potential risks to a business’s revenue stream, reputation and, for listed companies, the share price drop that commonly follows a high-profile cyber incident may all contribute to the growing risk of data breach class actions.

Trend 10: Expanded critical infrastructure is a key focus

All signs point to the critical infrastructure as a sector of government cybersecurity focus in 2022 and 2023. This should come as no surprise in a context where Australia faces increasingly regular and more sophisticated cybersecurity threats to essential businesses and government services.

Conclusion

In addition to the privacy and cyber trends and issues canvassed in this article, 2022 and 2023 will also see some unexpected come of “left field”. While it is a volatile time in privacy and cybersecurity in Australia (and indeed the world at large), businesses must use 2022 to uplift and consolidate their privacy and cybersecurity risk management and the vast majority of Australian directors must up their game as well.

That is, invest in (and oversee your company’s) cybersecurity, privacy compliance and prosilience through robust systems, training of staff and ensuring the availability of appropriately-skilled resources. Finally, watch out for and meet any specific “minimum” cybersecurity measures in financial services, critical infrastructure (which now could be you) and those sectors where the CDR is being rolled out.

	Alec Christie Partner Clyde & Co Alec.Christie@clydeco.com www.clydeco.com
	Sian Pannach Associate Clyde & Co Sian.Pannach@clydeco.com www.clydeco.com
	Michael Zacharatos Associate Clyde & Co Michael.Zacharatos@clydeco.com www.clydeco.com