CYBER SECURITY A year in review - December 2021 - Lander & Rogers
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CYBER SECURITY A year in review December 2021
CYBER SECURITY: A YEAR IN REVIEW
Foreword
As 2021 comes to a close and we step into Similar steps have been taken in the US, It seems generally accepted that cyber Key contacts
2022, we take this opportunity to reflect on UK, EU, Singapore and China. The OAIC threats will evolve and become
how cyber threats have evolved both in has also taken active steps throughout increasingly sophisticated. In particular, Technology, privacy and cyber
Australia and globally, as well as the rapidly the year to enforce privacy legislation we expect that Australia will continue to
Robert Neely Partner
changing cyber regulatory landscape. after several global companies were face significant cyber threats in the next
Corporate
involved in data breaches. 12 months, with new ransomware models,
This year we saw a dramatic increase in the
supply chain attacks and exploitation of Lisa Fitzgerald Partner
frequency and severity of cyber attacks, Changes to the risk environment and
zero-day vulnerabilities already proving Corporate
with ransomware the predominant mode the regulatory landscape have a
problematic.
and COVID-19 continuing to pose risk for significant impact on organisations. More
Keely O'Dowd Senior Associate
organisations shifting to remote working than ever, the Board and management of Cyber threats cannot be eliminated, but
Corporate
and cloud-based services. Most alarmingly, organisations, regardless of their size and organisations can make it more difficult for
we saw that threat actors are increasingly online capabilities, need to be aware of attacks to succeed. This will require strong Cyber insurance
taking aim at our critical infrastructure cyber risks, understand their will from all sides: Australian businesses
industries and favouring supply chain responsibilities and obligations around (including their Boards and management), Melissa Tan Special Counsel and
attacks due to their greater impact. We cybersecurity, and take proactive the cyber insurance industry and Head of Cyber Insurance,
have also seen an increase in attacks measures to enhance their organisation's governments. Insurance Law & Litigation
carried out by state-sponsored actors, who cyber resilience.
The enactment and enforcement of cyber Louisa Henderson Lawyer
are generally not motivated by profit.
With the hardening cyber security regulations introduced this year Insurance Law & Litigation
These threats and the potentially insurance market, companies seeking by the Australian Government will play an
devastating impact of cyber attacks on insurance cover are also facing increased important role in shaping how Australia
critical infrastructure have been recognised scrutiny from cyber insurers. responds to cyber threats and improves its
by governments around the world, cyber resilience.
Cyber insurers increasingly play an
including in Australia.
important part in educating clients and We trust that this inaugural Cyber security
We have seen several key regulations and improving their cyber security. year in review will provide a useful
policies being introduced throughout the guide to the nature of current cyber
We foresee that the role of cyber
year aimed at improving the cyber threats and Australia's rapidly evolving
insurers in risk mitigation and increasing
resilience of Australian businesses, regulatory landscape.
the cyber resilience of their corporate
particularly in the critical infrastructure
clients will continue well into 2022.
sectors, and enhancing data protection.
2
landers.com.au
CASE NOTES
Notable cyber attacks
There was a dramatic increase Accellion SolarWinds (US) Microsoft Exchange Florida water supply CNA Financial (US)
in the frequency and severity Dec 2020 Dec 2020 Server (US) (US) Mar 2021
of cyber attacks in 2021, with Jan-Mar 2021 Feb 2021
ransomware the predominant • Supply chain attack • Supply chain attack • Largest ransomware
mode and COVID-19 • Zero-day vulnerabilities • Breach went • MS Exchange Server • Critical infrastructure: payout at US$40m
• Perpetrator: UNC2546 undetected for months zero-day vulnerabilities water supply • One of the biggest US
continuing to prove difficult
and UNC2582 and could have and patching • Hacker's attempt to insurance companies
for organisations shifting to
exposed sensitive data • Exploited by threat poison water supply • Ransomware attack:
remote working and cloud-
in the highest reaches actors to launch cyber • Perpetrator: unknown Phoenix CryptoLocker
based services. Acer (Taiwan & India) of US government encrypted remote
attacks
Mar 2021, Oct 2021 • Third-party claim led to • Suspected: Hafnium workers' devices logged
Learn more about each case Colonial Pipeline (US)
shareholder class action and 9+ others into VPN
study. • Leveraging MS May 2021
• Suspected: SVR • Suspected: Evil Corp
Exchange Server "zero-
day" vulnerabilities Facebook (US) • Critical infrastructure:
Learn more • Large ransom Nine Network (Aus) Apr 2021 oil and gas JBS Foods
demanded Mar 2021 • Ransomware attack (Brazil, US, Aus)
• Exposed poor • Social media platform • Perpetrator: DarkSide, May 2021
cybersecurity practices • Media network • Personal information a RaaS provider
and vulnerable servers • Malware attack with no exfiltrated • US$4.4 million ransom • Critical infrastructure:
• Perpetrators: REvil and ransom demanded • Perpetrators unknown paid (more than half food and supply chain
Desorden Group • Valuable sensitive data, was recovered) • Ransomware attack
disruption of services • Perpetrator unknown:
• Perpetrator: unknown Frontier Software / REvil suspected
Kaseya (US) SA Government • US$11 million ransom
Jul 2021 Dec 2021 paid
Log4j2
• Supply chain attack Dec 2021 • Ransomware and
• Ransomware with supply chain attack
malicious Sodinokibi / • Zero-day vulnerability • State government
REvil code deployed • Ransomware impacted and
• US$70m demanded. • State-sponsored employee data
Kaseya didn’t negotiate attacks exfiltrated
or pay
• Perpetrator: REvil, • Suspected: Russian
Yaroslav Vasinskyi hackers
3
Landers.com.au
GLOBAL VIEW OF CYBER LANDSCAPE
European Union
China
United States United Kingdom
Singapore
Cyber risks know no boundaries, posing Australia
a global and national security issue.
To contextualise the evolving cyber
regulatory landscape in Australia, it is
important to understand the strategies
adopted by other countries including the
US, UK, EU and in the Asia-Pacific region.
Tool tip: Hover over each region for
more information or click below to learn
more.
Learn more
For added functionality, view this document with a PDF viewer like Adobe Acrobat.
TIMELINE
Legislation and policies Ransomware Action Plan
Autonomous Sanctions Amendment
(Magnitsky-style and Other Thematic
Strategic government approach to Sanctions) Bill 2021 (Cth)
tackling threat posed by
Bill receives royal assent. Government may issue sanctions
Digital Economy Strategy Surveillance Legislation ransomware.
directly against cyber hackers that ban them from visiting
Sets out measures of success including Amendment (Identify and Australia or investing their criminal gains in Australia.
enhanced security of critical services and Australian privacy law
infrastructure; high levels of cyber security
Disrupt) Act 2021 (Cth)
across government; e-commerce and cyber
New law enforcement powers for reform Security Legislation Amendment (Critical
Australian Federal Police and Attorney-General's Department
security tool use for 95% of SMEs. Infrastructure) Bill 2021
Australian Criminal Intelligence releases Privacy Act 1988
Commission to combat serious online Discussion Paper and the Exposure Bill receives royal assent. Aims to enhance security and
NSW Cybersecurity Strategy crime. Draft of the Privacy Legislation resilience of critical infrastructure assets and systems of
Government to lead by example in cyber Amendment (Enhancing Online national significance.
resilience. Privacy and Other Measures) Bill
2021.
May 2021 Aug 2021 Dec 2021 Present
Jun 2021 Jul 2021 Sep 2021 Oct 2021 Jan 2022
WA Govt Digital HGIT Initiative Strengthening Australia’s
Strategy 2021-2025 Three Cyber Hub pilots cyber security regulations
Outlines focuses for established to provide and incentives
improving cyber resilience, cyber services for 143 submissions received to government
expanding secure service government agencies consultation.
delivery, enhanced needing additional skills.
transparency and Cyber Security Skills Online Safety Act
accountability in managing Partnership Innovation Fund 2021 (Cth)
data. Government announces additional $43.8 Act commences 23 January.
million in funding to grow cyber security First-of-its kind cyber
Vic Govt Cyber workforce. scheme for adults; enhanced
NT Govt
Strategy 2021 protections for children;
Darwin Joint Cyber Sets out state's cyber security greater transparency in tech.
Security Service strategy for next five years.
Collaborative hub between
state and federal
government.
5
HOT TOPIC
Insights from the Information Commissioner's investigations into Uber, 7-Eleven and Clearview AI
In 2021, the Office of the Case study Case study Case study
Australian Information
Commissioner (OAIC)
released three determinations
in respect of its investigations
into the privacy practices of
Uber, 7-Eleven and Clearview
AI.
Uber Technologies, Inc. & 7-Eleven Clearview AI
Uber B.V.
7-Eleven is a private company with American facial recognition
In Australia, Uber B.V. (UBV) is a over 700 convenience stores across company Clearview AI provides a
ride hailing service delivered Australia. Between 15 June 2020 facial recognition search tool for
through a mobile application for and 24 August 2021, 7-Eleven mobile and web users. The tool
Australian users. UBV has been deployed a technology-enabled allows users to upload an image of
operating in Australia and collecting customer feedback mechanism in an individual's face and search
customers' and drivers' personal its stores. The mechanism used Clearview AI's database for likely
information since September 2012. third-party facial recognition matches, to enable identification of
UBER Technologies Inc (UTI) was technology to collect facial images the individual.
contracted by UBV to process and faceprints of customers who
information in accordance with completed a feedback survey using Clearview AI's userbase comprises
UBV's instructions under a an instore tablet device. The facial government and law enforcement
processing agreement. images were retained for seven entities who use the tool for law
days and the faceprints were enforcement and national security
In 2016 the personal data of drivers retained for an indefinite period. purposes.
and customers was accessed by an
unauthorised third party.
Learn more Learn more Learn more
6
Landers.com.au
TRENDS
Hover over the word cloud
Top four cyber security trends for 2022
for more information or
click here.
Breach Internet Password Data
Hacker Network Ransomware
Virus Online Cyber Malware Phishing
Training Attack security Privacy
Deep fake Software Cloud Information Detection
Firewall Legal Security Spyware
Insurance Crypto crime
BUILDING CYBER RESILIENCE
Lessons from 2021
1 2
There are four key cyber
security lessons from
2021 to inform 2022
and beyond.
The human factor Cyber insurance
Learn more
Work on reducing the Cyber insurers and
cost of the human factor. brokers can play an
important role in building
cyber resilience.
3 4
Collaboration Ecosystem
Information sharing is A collective approach is
key. needed for cyber
ecosystem strength.
8
landers.com.au
KEY CONTACTS
Cyber security legal specialists
Technology, privacy and cyber Cyber insurance
Lisa Fitzgerald Robert Neely Keely O'Dowd Melissa Tan Louisa Henderson
Partner Partner Senior Associate Special Counsel and Lawyer
Corporate Corporate Corporate Head of Cyber Insurance, Insurance Law & Litigation
Insurance Law & Litigation
D +61 3 9269 9103 D +61 2 8020 7704 D +61 3 9269 9526 D +61 2 8020 7897
E lfitzgerald@landers.com.au E rneely@landers.com.au E kodowd@landers.com.au D +61 2 8020 7889 E lhenderson@landers.com.au
E mtan@landers.com.au
9
ABOUT US
Founded in 1946, Lander & Rogers is one
of the few remaining truly independent
Australian law firms and a leader in
legal tech innovation.
With offices across the eastern seaboard of Australia,
Lander & Rogers has grown organically resulting in a
unified firm with a strong focus on client and staff care.
We believe legal services involve more than just the law
– practical, commercial advice and exceptional client
experience are equally important to our clients and to us.
Lander & Rogers advises corporate, government, not-
for-profit and private clients in insurance law and
litigation, family law, workplace relations & safety, real
estate, corporate transactions, digital & technology and
commercial disputes.
The firm is global in approach, working closely with a DISCLAIMER | This guide cannot be regarded as legal advice. Although all care has been
network of leading firms to provide advice to clients, taken in preparing this information, readers must not alter their position or refrain from
both domestically and abroad. Lander & Rogers is also doing so in reliance on this guide. Where necessary, advice must be sought from
the exclusive Australian member of the world’s leading competent legal practitioners. The author does not accept or undertake any duty of care
independent network of law firms, TerraLex. relating to any part of this presentation.
Melbourne Sydney Brisbane
T +61 3 9269 9000 T +61 2 8020 7700 T +61 7 3456 5000
F +61 3 9269 9001 F +61 2 8020 7701 F +61 7 3456 5001You can also read
