Cyber risk management: an essential guide for in-house legal teams

The cyber threat landscape for Australian organisations is escalating, bringing with it complex legal, financial, and reputational risks. In-house legal teams play a critical role in bolstering their organisation's cyber resilience and mitigating significant regulatory exposure.

In this article, the second in a series for Cyber Security Awareness Month, we outline the critical cyber risk areas that in-house legal teams should be aware of, and provide practical tips on mitigating these risks and bolstering cyber resilience.

Key cyber risk areas

Poor data governance

Effective data governance is the foundation of cyber resilience. Legal teams must ensure their organisation understands and controls all data it collects, processes, and retains.

Under Australian Privacy Principle 11, organisations must destroy or deidentify personal information once it is no longer required for its original purpose. However, this requirement can conflict with data retention obligations imposed by various legislative frameworks, which mandate the preservation of certain information for specified periods. This regulatory tension creates a complex compliance landscape and significantly amplifies the potential impact of a data breach, as organisations may be compelled to retain data longer than privacy principles would otherwise permit.

The 2022 Optus data breach starkly illustrated the risks of unclear data retention requirements, with approximately 4 million former customers' personal information compromised due to Optus retaining billing records for up to six years. Whilst the Federal Government has signalled its intention to review data retention legislation as part of broader privacy reforms, no specific amendments have been proposed to date, leaving organisations to navigate these competing obligations in the interim.

In-house legal teams should:

• Map critical data assets: Work with IT and business units to identify and document all critical data assets, including personal information, intellectual property and commercially sensitive data.
• Understand data retention regulatory landscape: Map the various legislative requirements that mandate data retention across different sectors and data types, identifying where these obligations conflict with privacy principles requiring data minimisation and timely destruction of personal information.
• Enforce data minimisation: Implement strict 'need-to-know' and data destruction policies. The less sensitive data an organisation stores, the smaller the legal and regulatory impact of a breach. Review data holding practices to reduce aged and unnecessary data stores.
• Establish a data governance framework: Convert legal obligations (e.g. Privacy Act 1988 (Cth), Security of Critical Infrastructure Act 2019 (Cth), as amended) into practical, company-wide policies covering data classification, storage, access, and transfer.

Third party and supply chain risk

Organisations face increasing vulnerability through third and fourth party service providers, particularly as the rise of cloud computing has resulted in significant volumes of corporate data being processed and stored by providers. Those providers have also become a common vector for cyberattacks, such as in the recent Salesforce data breach that has affected several high profile companies. Regulators and courts hold organisations responsible for security breaches which affect the data they control, regardless of where it resides or which vendor manages it.

In-house legal teams should:

• Review and strengthen contracts: Ensure all vendor contracts include binding privacy and security obligations that comply with Australian regulations, notification of security events and audit rights, and obligations upon the vendor to cooperate with the organisation in the event of a data breach. Organisations should also consider provisions that allow for independent third party reports on the vendor's cyber resilience.
• Strengthen due diligence processes: Ensure legal oversight of all third-party procurement. Due diligence must go beyond technical checks to include mapping data flows (i.e. what categories of data will the third party have access to, use or disclose) and confirming the vendor's legal obligations regarding data sovereignty, and reviewing sub-contractor controls.
• Mandate security standards: Require third parties to meet your organisation's baseline cyber security standards, such as the Essential Eight controls.
• Consider cyber insurance posture: Query whether the organisation has cyber insurance and if it does, consider whether the policy is appropriate to cover losses that the organisation may suffer in the event of a data breach.

Lack of employee training and awareness

Human error remains the primary cyber security risk. Simple lapses like clicking malicious links or failing to use multi-factor authentication can bypass technical controls and cause breaches.

In-house legal teams should:

• Lead training on legal risk which provides targeted real world examples: Create ongoing education modules addressing the role of artificial intelligence and deepfake technology (discussed in further detail below) in producing convincing phishing attacks, and highlighting legal consequences of poor security practices, such as whistleblower protections.
• Create board-specific training: Ensure boards are aware of the organisation's cyber maturity and preparedness for incidences and are kept abreast of incidences. Boards should be cognisant of the organisation's statutory obligations, their director's duties and their personal liability under privacy and consumer law.WhileASIC has not yet pursued legal action against directors in the cyber context for breach of directors' duties, ASIC Chairman Joe Longo has stated that: "If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses."
• Mandate multi-factor authentication (MFA): Enforce MFA across all systems handling sensitive data. Regulators consider this basic measure is reasonable to expect from all organisations dealing with personal information.
• Prepare incident response plans: Establish incident response plans and ensure the plan identifies the relevant legal obligations, including those in the Privacy Act 1988 (Cth), Security of Critical Infrastructure Act 2019 (Cth) (if applicable), and the Cyber Security Act 2024 (Cth). Response plans should also set out the organisation's approach in the event that certain key issues, such as ransom payments, arise.
• Test incident response: Lead simulated cyber incidents with senior management to test response plans and clarify crisis roles.
• Understand the role of legal professional privilege in the data breach response: Consider the proper role of legal professional privilege in the context of cyber breaches and ensure privilege is applied appropriately.

Emerging threat: sophisticated deepfakes

Generative AI has created a new risk: sophisticated deepfakes. These realistic, AI-generated images, audio, and videos enable targeted attacks on organisations and executives.

Deepfakes now enable Business Email Compromise, CEO fraud, and disinformation campaigns, including:

• BEC and voice cloning: Deepfakes of executives demanding urgent fund transfers can bypass traditional controls. A UK engineering firm lost nearly HK$200 million in 2024 when an employee believed deepfake impersonations of senior colleagues (including the company's CFO) on a video call were real.
• Reputational attacks: Deepfake videos of executives making damaging statements can cause immediate harm to reputation and stock price. Current laws like defamation are often too slow to secure swift injunctive relief against fake content.

In-house legal teams should:

• Update fraud protocols: Require multi-channel verification for high-value or unusual payment requests, especially those initiated via voice or video. Consider verification mechanisms like rotating code words or ticketing systems.
• Develop deepfake crisis protocols: Integrate deepfake-specific responses into incident response plans, including rapid forensic verification and pre-authorised communication strategies to immediately identify content as fraudulent.
• Monitor legislative changes: Track new laws criminalising non-consensual sharing of digitally altered material and understand new avenues for legal recourse.

Taking a strategic and proactive approach to cyber risk

In-house legal counsel play a strategic, proactive role in cyber risk management. By focusing on governance, robust contracting, cultural awareness, and emerging threats like deepfakes, legal teams can translate cyber security complexities into defendable business practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021	Employer of Choice for Gender Equality (WGEA)