We sat down virtually with Kate Marshall, Partner and Head of Legal, KPMG Australia, to discuss cyber security through the lens of as it relates to data and legal. Throughout this interview, Kate provides a broad perspective on the cyber security challenges in the Asia Pacific ASPAC region, how legal can help address cyber security concerns, and more.

What challenges are you seeing in the Australian market and the broader Asia-Pacific region?

Kate: Right now, we’re seeing a strong move to digital and a change in work practices resulting from COVID-19, which is creating greater volumes of data and greater vulnerability around that data. 

We're also seeing high profile malicious attacks on a number of organizations including the New Zealand Stock Exchange. There is also an increase in this type of malicious activity that can lead data being sold on the web and really significant operational impacts. 

How can legal support help address cybersecurity concerns?

Kate: KPMG firms help organizations understand, prepare for and respond to these incidents. We recommend being proactive to enable the organization to respond at least relatively calmly. This should include having a detailed playbook and an understanding of what could happen in different scenarios if there is a cyber incident. 

It’s important to have a detailed plan that’s not just the off-the-shelf normal cyber breach or data breach response plan, but what to do when there is a significant, targeted malicious attack. You might not understand the implications from day one, but being able to rely on that playbook to help you calmly respond puts organizations in a much stronger place to manage the incident. 

At KPMG firms we also recommend that clients have a response service available and when it is needed. KPMG Australia has a 24-hour hotline that can provide access to a specialist forensic team but can also provide access to the specialist privacy and data lawyers who understand how to support during these incidents.

Is there anything else that companies or corporations should be doing to minimize cyber risk?

Kate: There is an increased expectation (including from Australia’s Information Commissioner) that organizations have an understanding of the data they hold. What data you hold, where it is hosted and how it is protected? — understanding your data landscape is critical. 

When we look at ransomware and the malicious attacks that have been happening in Australia, these are really sophisticated threat actors who exploit a vulnerable environment and identify the assets that they want to target. Those assets are usually IP, legally sensitive information and commercially sensitive information such as client lists. It can also include employee information which often includes health information, any internal investigations that have occurred, remuneration and personal addresses of the executive team and other personal details.

All of that information combined not only has a reputational impact, but it also has a regulatory and operational impact. Understanding that data landscape – what is the data and where does it sit – and an organization's data environment is becoming more complex as organizations continue to collect more and more data. Is it within an internal system or is it held by third parties? and what protections (is it encrypted or is access restricted) are in place is imperative when assessing an incident where a threat actor has been able to access the organization’s systems? These threat actors are very experienced and will know what they want to target and if we can understand this, it allows our forensic teams to focus on these areas. Our legal assessment will consider the nature and extent of the data that may have been compromised and the impact of this. Understanding not just the IT environment but the nature and categories of data that the organization has will support us to provide that legal assessment.

What can corporations do to address the challenges of state-sponsored cyber-attacks? 

Kate: Again, I would say preparation, which is not just a legal issue. The way to prepare for these incidents includes having access to a broad team – a team internally within the organization who understands the IT environment, the data security protections in place and the logs that will provide the forensic evidence, plus the right advisers available 24/7.

That combined team is really the strength of KPMG, as we bring the cyber, forensic and legal teams together as one integrated team to support the client. Being prepared to respond and understanding how they may need to respond is important[MB1] . 

This includes how to maintain the evidence required to give the legal team the information needed for the legal assessment. For example, if there is ransomware, it might be used to cover the threat actor’s tracks. Who has been snooping around your environment and perhaps extracted data to sell on the dark web? If logs and other evidence aren’t preserved (or available at all), our forensic team may not being able to advise on what has been compromised and what data has been removed. 

With that, understanding how to react to these incidents is something that we are talking to more and more clients about. Not only should they bring in an expert team, but I think there also needs to be an increased level of understanding that the ransomware itself may not be the issue here. There may be more to it and understanding how to preserve the evidence is critical here. 

Do you feel the volume and type of data companies hold is a risk factor, and what should companies be doing to better manage this?

Kate: Yes, it’s definitely a risk factor and it’s easy to say that organizations should have less data. Of course, if you look at the privacy laws around the world, most of them have the requirements to minimize the data and personal information that’s being held, yet that may not always be actively managed. 

As an organization, it makes sense to reduce the information that you no longer need; however, that is easier said than done. I think we are still in that world of creating data lakes and thinking that more is better, which creates a challenge.

The other aspect is knowing what that data is, where it's held and with whom, like I’ve stated previously. For example, is it with your third-party supplier who manages your IT infrastructure? That’s a really critical piece to understand. Is there additional protection around what might be the crown jewels of that organization? Maybe it's their IP, other trade secrets or their client list. In order to advise on what organizations can do to mitigate, remediate and respond to incidents from a regulatory perspective, we will be able to do this more easily if the organization has an understanding of their data.

It sounds relatively simple, but in a global organization, understanding what the data is and where it is held can be a very difficult question to answer yet there are frameworks, classification systems and data maps that help.

What guidance and support can KPMG global legal services provide clients in managing their data risk?

Kate: For a starting point, it’s imperative to have a good framework to effectively manage data. Also, it’s important to manage your data well, not just from a regulatory perspective but from a minimization principle perspective. Understanding the whole environment is necessary – where are the connectivity points with third parties? What data is being held by your outsourced providers? Are there multiple copies of critical data that may be the area of focus of a threat actor in a malicious attack? What protections do you have in place?

As a global privacy and cyber team, KPMG firms can bring insights from other organizations we work with around the world. We bring these into our cyber readiness training programs so that clients can get a sense of what types of incidents may be coming their way and are they equipped to respond? KPMG as a truly global workforce provides the support that is needed to respond to these incidents. Working through a cyber incident can take quite some time, and having support in different jurisdictions who can work when we sleep can help. This is in addition to the local team who are on the ground and include lawyers who understand the local regulatory environment. Our integrated approach allows clients to be supported from a cyber, forensic and legal perspective. 

Any final thoughts? 

Kate: It's been a year of ransomware in the Australian market and we’re really seeing the nature of the attacks step up, having a great impact on organizations from both a data and operational perspective.

We often think about these incidents from a legal perspective, specifically around notifying the regulator and individuals involved, but there's also the broader issue of it affecting the supply chain. So, we are encouraging clients to think about and prepare for that. Do they know whether their suppliers are cyber aware and ready? 

Finally just a shout out to our forensic colleagues who are essential to preparing for and responding to a cyber incident. They can identify what we know and what we don’t know about the incident. There are many times where I can't do my job in supporting clients through these cyber incidents and advising them on the legal implications without having a reasonable understanding of what may have occurred. This is getting more and more complex so having a great forensic person by my side is critical. That’s the fantastic thing about being part of the KPMG network – we can come together as one team and support the client through these challenging incidents.


Kate Marshall
Partner, Head of Legal
KPMG Australia
Link to bio

Throughout this document, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.

Certain member firms of the KPMG global organization, including the US firm, KPMG LLP, do not provide legal services or have KPMG Law service entities. Some or all the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.