Research

Guide: Cyber Year in Review 2021/22

Blue squares.

The last 12 months have seen a dramatic increase in the frequency and severity of cyber attacks. Organisations must be aware of cyber risks, understand their responsibilities and obligations around cyber security, and take proactive measures to enhance their cyber resilience.

As 2021 comes to a close and we step into 2022, we take this opportunity to reflect on how cyber threats have evolved both in Australia and globally, as well as the rapidly changing cyber regulatory landscape.

This year we saw a dramatic increase in the frequency and severity of cyber attacks, with ransomware the predominant mode and COVID-19 continuing to pose risk for organisations shifting to remote working and cloud-based services. Most alarmingly, we saw that threat actors are increasingly taking aim at our critical infrastructure industries and favouring supply chain attacks due to their greater impact. We have also seen an increase in attacks carried out by state-sponsored actors, who are generally not motivated by profit.

These threats and the potentially devastating impact of cyber attacks on critical infrastructure have been recognised by governments around the world, including in Australia. We have seen several key regulations and policies being introduced throughout the year aimed at improving the cyber resilience of Australian businesses, particularly in the critical infrastructure sectors, and enhancing data protection. Similar steps have been taken in the US, UK, EU, Singapore and China. The OAIC has also taken active steps throughout the year to enforce privacy legislation after several global companies were involved in data breaches.

Changes to the risk environment and the regulatory landscape have a significant impact on organisations. More than ever, the Board and management of organisations, regardless of their size and online capabilities, need to be aware of cyber risks, understand their responsibilities and obligations around cyber security, and take proactive measures to enhance their organisation's cyber resilience.

With the hardening cyber insurance market, companies seeking insurance cover are also facing increased scrutiny from cyber insurers. Cyber insurers increasingly play an important part in educating clients and improving their cyber security. We foresee that the role of cyber insurers in risk mitigation and increasing the cyber resilience of their corporate clients will continue in 2022.

It seems generally accepted that cyber threats will evolve and become increasingly sophisticated. In particular, we expect that Australia will continue to face significant cyber threats in the next 12 months, with new ransomware models, supply chain attacks and exploitation of zero-day vulnerabilities already proving problematic.

Cyber threats cannot be eliminated, but organisations can make it more difficult for attacks to succeed. This will require strong will from all sides: Australian businesses (including their Boards and management), the cyber insurance industry and governments. The enactment and enforcement of cyber security regulations introduced this year by the Australian Government will play an important role in shaping how Australia responds to cyber threats and improves its cyber resilience.

We trust that this inaugural Cyber Year in Review will provide a useful guide to the nature of current cyber threats and Australia's rapidly evolving regulatory landscape.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.