Steps to improve cyber resilience
April 2016 | EXPERT BRIEFING | RISK MANAGEMENT
Cyber risk is front-of-mind for Australian organisations following a series of significant developments in the last two years.
A number of recent high-profile data breaches, including Ashley Madison, David Jones and K-Mart, have raised awareness of cyber risks and placed the issue of cyber security and data privacy firmly on the agenda for Australian boards, lawmakers and regulators.
In 2014, substantial amendments were made to Australia’s privacy laws, placing more onerous requirements on organisations to protect the personal information of individuals. This included conferring on Australia’s privacy regulator enhanced powers to enforce these new requirements.
Further, the Australian government recently released for industry consultation a draft bill to require mandatory notification of serious personal information data breaches.
Regulatory developments have not been limited to privacy, with Australia’s corporate regulator also raising awareness of the issue of cyber risk through the release of its ‘Report 429: Cyber resilience health check’ for the benefit of the regulated population. The Report provided a clear indication that cyber risk is a board-level issue and has introduced the term ‘cyber resilience’ into common usage within corporate Australia.
A number of other Australian industry-specific regulators have also introduced regulatory requirements in relation to the protection of data, including APRA, Australia’s prudential regulator.
These developments have cumulatively led to an increased awareness among Australian boards of cyber security and privacy risks, which may include reputational damage to the organisation, significant civil penalties and personal liability for directors.
Against this backdrop, we recently surveyed board members and C-suite and senior risk, IT and legal executives with a view to gaining insights into the cyber resilience capabilities of Australian organisations. The results showed that, while data breaches are on the rise and notwithstanding an increasingly regulated environment, a significant number of organisations have no plan in place for responding to data breach events. Further, despite most Australian blue-chip insurers now offering specialist cyber risk policies, cyber insurance has not yet been widely embraced in the Australian market.
In this article, we explore the impact of the survey results and address the steps organisations can take to improve their cyber resilience.
The purpose of the 2015 cyber security survey was to gain an overview of Australian organisations’ risk posture in relation to cyber attacks, cyber resilience capability and intentions in adopting services that may give rise to additional cyber risk (such as cloud-based services).
Two different surveys were distributed: one directed at the chairmen, directors and chief executive offices (Board Survey) and another directed at chief information officers, chief information security officers, general counsel and other risk-related managers (CIO Survey).
The surveys were distributed to a diverse range of organisation types (including top 100 Australian Securities Exchange (ASX) companies, non ASX-listed entities, Australian state and federal government departments and not-for-profit organisations). We received and evaluated a total of 159 responses, comprising 81 responses to the Board Survey and 78 responses to the CIO Survey.
The survey revealed that cyber risk is front-of-mind for many Australian organisations, with 83 percent of Board Survey respondents ranking it as medium or high on their organisation’s corporate risk register.
Further, while 59 percent of Board Survey respondents identified the information technology (IT) department as having primary responsibility for responding to cyber risks, the results suggested an appreciation by Australian organisations that cyber risks are a whole-of-enterprise issue. The survey also found that respondents held a perception that they were appropriately informed of, and capable of responding to, cyber risks within their organisation.
However, while the awareness and acknowledgement of cyber risks is on the rise, the survey revealed that Australian organisations require additional focus on cyber resilience in order to address this threat more effectively. A significant number (27 percent) of CIO Survey respondents reported that their organisation did not have a data breach response plan in place. Further, more than half (56 percent) of CIO Survey respondents reported that they only conducted information security training for personnel on an ad hoc basis.
The survey also revealed that Australian organisations need to give further consideration to supply chain risk arising in relation to their key suppliers and customers. It was clear that many organisations had not adequately considered supply chain risk, with only 28 percent of CIO Survey respondents regularly auditing their supplier’s IT security practices.
Further, with a number of survey respondents reporting that responsibility for cyber risk management, compliance and review activities had been outsourced to an IT service provider, it is crucial that all organisations understand that outsourcing this function will not transfer responsibility for a cyber attack to the third party provider. The potential consequences for organisations outsourcing IT security include liability under the privacy laws, personal liability for directors, claims of misleading and deceptive conduct in breach of the consumer protection laws and customer claims for breach of contract.
The allocation of cyber risks through specialist insurance policies has not yet been widely embraced, with only 25 percent of survey respondents confirming their organisation had taken out a specialist policy. A further 32 percent of respondents were unsure of whether cyber risk was addressed in their existing insurance arrangements. We expect to see an increase in the take up levels of specialist cyber risk insurance policies, particularly with the expected introduction of mandatory data breach notification requirements later this year.
Improving cyber resilience
Our survey reveals that, while the awareness of cyber risks at board-level is on the rise, there is room for Australian organisations to improve their cyber resilience.
As a starting point, we recommend that all Australian organisations have in place a cyber resilience plan. The planning process should include undertaking a review of key contracts to identify the allocation of risk and responsibility; identifying critical systems, data and services; investing in employee training; and understanding and implementing appropriate technical measures (such as firewalls and data encryption).
An organisation’s cyber resilience plan should incorporate a data breach response plan setting out the framework for managing a data breach. The features of an effective plan include a list of the members of the response team; the actions and escalations to be taken in the event of a data breach; and the procedures for determining whether to notify affected individuals. The plan should be tested and amended regularly, as necessary.
Australian organisations that are subject to specific regulatory regimes should also ensure that they are fully complaint in relation to the protection of data held by them or their outsourced service providers.
Given there is no foolproof solution for cyber risks, we also recommend that organisations review their existing insurance arrangements and consider whether cyber risk insurance is an appropriate investment. Most of the specialist cyber risk policies in the Australian market include cover for first party losses (such as the cost of hiring technical experts to identify and address the cause of the data breach and engaging public relations professionals to conduct reputational repair services), regulatory costs (such as fines or penalties, and notification and monitoring expenses) in addition to third party liability cover for any claims arising from the data breach.
Ultimately, improving an organisation’s cyber resilience will require vigilance and preparedness at all levels of the organisation, from board members to executive management to each and every employee.
Paul Kallenbach is a partner and Leah Mooney special counsel at Minter Ellison. Mr Kallenbach can be contacted on +61 3 8608 2622 or by email: firstname.lastname@example.org. Ms Mooney can be contacted on +61 7 3119 6230 or by email: email@example.com.
© Financier Worldwide
Paul Kallenbach and Leah Mooney