How a Business Continuity Plan Can Help Protect Your Firm
If some of the more popular buzzwords of the past two years were "flexible work" and "hybrid business", 2022's might be more along the lines of consistency and continuity.
A cyber attack happened once every eight minutes in Australia in 2020-21, compared with once every 10 minutes in the previous financial year. No sector in the economy was immune, according to reports made to the Australian Cyber Security Centre, but because these are only reported breaches, the real rate is much higher.
The centre listed key trends as:
Increasingly, cybercriminals are directly targeting top executives through direct emails with threats and ransom demands, or accessing their inboxes, files, and computers to extort or blackmail them.
The total cost of a data breach is getting heftier. It was $2.82M in Australia last year, up from $2.15M the year before, says IBM.
How up-to-date are your company’s directors and officers about digital security to give you confidence policies and processes will minimise the risks associated with a data breach?
As a result of these breaches, company directors and officers are facing greater regulatory oversight to disclose cyber security issues. They must ensure they have appropriate cyber security measures in place to protect their company’s digital assets. Failing to do so when a data breach occurs risks shareholder derivative action or a shareholder suit against D&Os for breaching their fiduciary duty.
The Federal Government released its Ransomware Action Plan last October, which introduces a criminal offence for cyber extortion – here’s a link to federal laws that cyber criminals face. However, under the plan, the government will mandate that companies with a $10M-plus turnover report ransomware incidents, and has indicated it will increase regulatory oversight, according to law firm Corrs Chambers Westgarth. Paying a ransom may be a criminal offence, and even though there are defences, there’s a lot of uncertainty.
As well, the government has set up a new Australian Federal Police-led multi-agency taskforce ‘Operation Orcus’ operation to target ransomware attacks linked to organised crime groups operating here and overseas. The Federal Department of Home Affairs has also set up the Cyber and Infrastructure Security Centre to actively deal with regulatory moves and partnerships to protect our nation’s critical infrastructure. You can find a comprehensive register of those asset classes here, plus obligations for responsible entity holders or direct interest holders.
The government’s Cyber Security Industry Advisory Committee has issued Locked Out: Tackling Australia’s ransomware threat, which advises businesses to:
That presumes a high level of cyber expertise and risk management at board and officers’ fingertips.
For D&Os, managing cyber risks is a core governance issue that comes under a duty of care and diligence, Section 180(1) of the Corporations Act, according to professional services consultancy PwC. However, there haven’t been any significant Australia cases or regulatory prosecutions of D&Os concerning ransomware attacks or preparedness … yet.
Boards should be actively engaged in managing cyber risks, and can look to ASIC for cyber guidance. They cover 11 good practices, including:
It’s worth pointing out that businesses should have appropriate contracts and processes in place to make sure their suppliers, service providers and sub-contractors also meet cyber security requirements.
Don’t overlook cyber insurance
You might assume your existing directors’ and officers’ liability insurance should cover you for cyber risks, but please check with us for peace of mind. For example, the D&O policy may or may not include:
Cyber risk or cyber liability insurance can cover costs, liabilities and losses resulting from a cyber incident in your company. But generally, cyber liability insurance won’t cover all of the costs you incur, such as salary costs for your staff, uninsurable fines, or damage to property other than computer hardware.
While the good news is you can minimise your cyber security risk profile with the above strategies and tailored insurance. Our advice is that premiums will rise in the next two years. The more you tighten your internal processes to manage your cyber risks, the stronger your application will be for a new policy or a renewal to earn you more favourable terms.
Article supplied by OneAffiniti
Photo by FLY:D on Unsplash