Australia’s business landscape will be transformed under new mandatory reporting legislation for data breaches which will take cyber security from the IT department to the boardroom, according to a white paper released by QBE Insurance.
The paper, released today, said businesses nationwide will need to ensure that stringent data management and cyber security measures are in place or risk facing compliance, financial and reputational ramifications.
New legislation, passed in the Senate in February, requires mandatory reporting of any data breaches to both the privacy regulator as well as the affected customers. It will apply to all businesses with a turnover of more than $3 million, health service providers, credit reporting bodies, credit providers and tax file number recipients.
The costs associated with notification can be crippling with data from the US indicating the average cost per lost or stolen record to be USD221.
QBE cyber insurance expert, Ben Richardson, said the new legislation emphasises the need for data management and cyber security practices to be escalated and reviewed within a company’s overall risk management framework to ensure that they are fit for purpose.
“It means, certainly as far as ASX-listed companies go, that if the data breach is serious enough to affect the share price or a specific class of individuals, like employees, then legal and regulatory action against directors and officers will move into scope,” Richardson said.
“In future, company boards will need to ensure they are well across their organisation’s security practices and encourage a strong security culture to avoid being placed in the firing line.”
Richardson said that while the turnover threshold for mandatory reporting is $3 million, small and medium enterprises should still be vigilant.
This sentiment was echoed by Prime Minister Malcolm Turnbull in his foreword to the ASX 100 Cyber Health Check report.
“We’re starting to see criminals move away from attacking larger organisations who present more complex defense mechanisms and instead target SMEs who are often unable to invest in high levels of IT security or risk management and are more susceptible to automated, lower cost threats, such as phishing and ransomware,” Richardson said.
The wide-ranging consequences of a data breach would undoubtedly put cyber insurance on the radar for businesses of all sizes.
Richardson said cyber insurance in Australia is still a relatively new product, but the introduction of mandatory notification brings Australia into line with the more established US market and is expected to lead to a maturing cyber insurance market.
“Cyber insurance is designed to complement strong internal security practices to ensure that a business will be able to stay afloat to cover the costs of a cyber event.
“When assessing risk, underwriters will require information on the security practices currently in place and will look favourably on those who are taking an active approach to security across all levels of the business.”
Richardson said that while the new legislation would no doubt be cause for concern for some, the clarity of responsibility should be welcomed.
“Ultimately, this is a positive move. This will create a more transparent risk management landscape, which will help reveal the true extent of cybercrime affecting Australian businesses as more data about breaches is collected. Further, consumers will have a far greater level of comfort around how businesses treat their personal data.”
“With this increased clarity in responsibility towards data safety it is hoped all sectors will benefit from the improved reporting and statistics as this will help drive future strategies and improve defensive efforts.”
Businesses wanting to improve their cyber security measures should ensure they have adequate security measures in places, conduct annual audits, embed a strong security culture, as well as develop recovery and business continuity plans.
You can download the paper here QBE white paper cyber risk.
The latest issue of Paint and Panel, which will be with you shortly, has a column from Chris Oliver in the UK talking about the huge issue data protection has become over there where repairers are being blamed for data breaches.