A collective chill scuttled across the nation in late 2017 when the Australian Cyber Security Centre’s latest Threat Report assessed the risk of cyber compromise as “high” for local organisations.
It had already recorded a 15 per cent increase in cyber incidents in the previous 12 months – rising to 47,000 – with 56 per cent of the incidents affecting industry rather than the public sector. But only 58 per cent of those incidents were self-reported; the ACSC identified the remainder itself.
This apparently relaxed approach to cyber compromise is about to face its biggest challenge ever with the introduction of mandatory data breach notification for companies when they endure a serious compromise. And companies will have just 30 days to alert the authorities. Under the Privacy Act, there is some leeway for organisations that turn over less than $3 million per year; however any organisation that holds potentially harmful information is not exempt.
Having a current, tested cyber incident identification and response plan which allocates responsibilities, expedites notification and remediation, and leverages appropriate cyber insurance coverage is essential in this emerging era of mandated notification.
Certainly the threat of data breach is not declining; attacks on personal identifiable information and the use of credential harvesting malware are on the rise according to the ACSC’s threat report.
The ACSC report also noted that managed service providers – which might deliver cloud computing services or outsourced information systems – are also being targeted as a way to access customer data. Companies cannot outsource their breach notification obligations, but instead need to ensure that they are aware of where their data reserves are held, and have systems in place to expedite breach notification and systems remediation regardless of the location of data.
With the clock ticking for the Australian data breach notification, business both large and small need to immediately assess their exposure, risk mitigation opportunities, processes and procedures to ensure they can respond to the notification schedules in Australia.
What is a data breach?
A data breach is defined as a situation where:
- There has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or
- Information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
- There is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Relevant data can include data such as personal information, credit information and tax file numbers.
A real risk of "serious harm" can include physical, psychological, emotional, economic and financial harm, and also includes serious harm to reputation.
Six steps to preparing for breach notification
1. Get across the detail of the legislation and implications for your organisation.
2. Understand what data you have, where and how it is stored - review and test your existing systems for managing and storing data and ensure they are compliant/robust.
3. Ensure you have a plan on how to address the legislation. This plan should be integrated with your cyber risk plan, cyber incident response plan and overall crisis management and business continuity plan.
4. Consider implementing the Australian Signals Directorate’s Essential Eight guidelines for cyber-attack mitigation and incident management.
5. Communicate the plan with key leaders across the organisation and get their buy in and educate employees.
6. Do any work required to prepare for legislation and review your current insurance arrangements with your broker to ensure you have adequate insurance and a response team at the ready.
To find out more on the new privacy legislation or to learn more about Cyber Liability Insurance contact visit aon.com.au/cybercover, email firstname.lastname@example.org or call us on 1800 805 191.
* Conditions apply. Price dependant on exposure risk and selected limits. For full policy wording please contact 1800 805 191. © 2017 Aon Risk Services Australia Limited | ABN 17 000 434 720 | AFSL 241141. This information is general in nature and should not be relied on as advice (personal or otherwise) because your personal needs, objectives and financial situation have not been considered. So before deciding whether a particular product is right for you, please consider the relevant Product Disclosure Statement or contact us to speak to an adviser.