Is your business protected? Cyber security risks and the need for ongoing vigilance in 2021 and beyond

As the COVID-19 pandemic unfolded, organisations responded to the government-imposed restrictions in an accelerated timeframe which included migrating employees to hybrid working arrangements, primarily work-from-home (WFH). To facilitate this immediate transition, organisations of all sizes rapidly implemented digital revolutions that highlighted the increased risk of cyber security breaches and potential attacks, and heightened the requirements for cyber insurance.

Figures from international organisations, including Switzerland’s National Cyber Security Centre showed an increased number of reported cases of cyberattacks. Fraudulent activities such as phishing (digital communications posing as reputable) and fake websites (carbon-copies imitating originals) were created to deceive users into entering their personal data, trebling in the month of June 2020.

While the immediate threat of mass COVID-19 contagion in Australia has largely abated, and office workers around the country are returning to a socially distanced environment, flexible work arrangements have emerged as a cornerstone of our new operating environment. Remote working has highlighted the need for businesses to have their cyber security arrangements in order and front-of-mind. Workplaces that choose to ignore the risks associated with technology or the threat of sophisticated cyber breaches increase their risk profile and exposure of an impact from cyber villains.

Cyber security is a critical part of the Information Age, it is vital for organisations to address their in-house processes and constantly improve future measures to remain competitive and retain consumer trust.

Recommendations

• Evaluate the organisation’s current cyber security measures – these should be assessed in the same manner as any other organisational risk to protect critical processes and ensure continuity
• Review the organisation’s current cyber security management plans and assess cyber risk and exposure to liability
• Complete stress testing of the organisation’s cyber security framework to identify any potential breakdowns – it is essential to ensure that your response plans are easy to adopt in a rapid response timeframe
• Consider the value proposition of cyber insurance – does the organisation’s existing cyber policy align with organisational risk profile.

Designing an effective cyber security framework

The key elements in designing an effective cyber and privacy risk management framework include:

• Data mapping – understand the organisations data visibility, data channel flows, and users who have access (internal and external)
• Data breach response plan – in the event of data breach impact, a concise and carefully-considered plan is essential for responding to data breaches as soon as they occur, and this should be reviewed and updated as part of general risk compliance procedures
• Policies, practices, and procedures – establishing a governing body including a privacy officer and regular reporting to the Board on cyber risk issues
• Staff training – keep vital information visible and located in an easy to access location. Where required, conduct employee workshops relating to the organisation’s cyber and privacy risk management framework
• Supplier agreements – implement or update security measures relating to suppliers that are handling data on the business’s behalf. Ensure data breach containment, remediation, and notification clauses in agreements are up to date.

Avoid relegating cyber security to the “too hard” basket

Persistent doomsday messaging about cyber security and cyber attacks mischaracterises potential threats, creating complacency or inertia around this issue. Additionally, little understanding can unintentionally influence management to view it as too complex or technical – something that is best left to the IT specialists to worry about.

However, if cyber security is approached in the same way as any other risk to business, it can be managed effectively.

Essential elements to minimise cyber security risk include:

• Developing a response team of internal and external resources with skills across a range of disciplines such as IT, cyber security risk, legal and PR/communications
• Implementing a tailored cyber security framework for the organisation which protects critical business processes and assets from cyber attack
• Introducing an effective and carefully selected policy of cyber insurance, which acts as a risk transfer device and funds the cost of implementing key elements of the cyber security framework (when necessary)
• Conducting regular testing and evaluation of cybersecurity procedures and plans, and the capacity to effectively roll out in a critical event.

What can cyber insurance offer?

Cyber insurance can provide an important financial backstop in the event of a cyber incident which causes loss. Firms should consider the need for cyber insurance as part of their broader systems and policies to manage cyber security.

Generally, dedicated cyber insurance policies provide two branches of cover:

• First party losses, which are those that are incurred by the insured party itself, including:
• Cost of replacing and restoring lost or damaged data following a cyber attack
• Loss of net income following a cyber event (business interruption)
• Cost of PR and legal support in the event of a data breach
• Cyber extortion costs.
• Third party losses, or the liability of the insured party to third parties for a cyber incident. This can include:
• Liability to third parties for failure of network security practices which result in a loss to a customer or client
• Compensation to individuals affected by a data breach.

Insurable losses can also include liability to pay fines and penalties which are generally insurable where there is no element of deliberate breach or intentional actions.

There is minimal standardisation in the way cyber insurance is offered in the market.  Cover is generally available as a standalone policy, or as part of an existing coverage.  The needs of the individual organisation will determine which type of policy is most appropriate.  The buyer must have a clear understanding of the organisational cyber risk before settling on a particular insurer and policy wording.

McCullough Robertson can provide your business with a tailored assessment of your current cyber insurance policy and available options for appropriate cover. We guide our clients through the process of design, placement and/or renewal of insurance cover to ensure best fit for your current or anticipated risk profile. Our team also regularly supports clients with practical training for staff on best practices for managing cyber and privacy risks, helping develop and test clear, concise data breach response plans as well as auditing supplier agreements and mapping data flows to identify where the key risks may arise before they eventuate.

Cyber security webinar

On the 28^th of April 2021, we will be hosting a webinar where we will explore the above topics further and explain why cyber security and cyber insurance play a critical part in your business strategy. You will also have the opportunity to ask questions to our expert panel. Be sure to register early for the webinar via this link.

To speak with our legal specialists, please phone (07) 3233 8888 or contact authors Stephen White and Jake Grant below.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.