Skip to content

  • Home
  • COVID-19 Guide
  • Podcast library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Insight / Is your business protected? Cyber security risks and the need for ongoing vigilance in 2021 and beyond
Insight 19 March 2021

Is your business protected? Cyber security risks and the need for ongoing vigilance in 2021 and beyond

As the COVID-19 pandemic unfolded, organisations responded to the government-imposed restrictions in an accelerated timeframe which included migrating employees to hybrid working arrangements, primarily work-from-home (WFH). To facilitate this immediate transition, organisations of all sizes rapidly implemented digital revolutions that highlighted the increased risk of cyber security breaches and potential attacks, and heightened the requirements for cyber insurance.

Figures from international organisations, including Switzerland’s National Cyber Security Centre showed an increased number of reported cases of cyberattacks. Fraudulent activities such as phishing (digital communications posing as reputable) and fake websites (carbon-copies imitating originals) were created to deceive users into entering their personal data, trebling in the month of June 2020.

While the immediate threat of mass COVID-19 contagion in Australia has largely abated, and office workers around the country are returning to a socially distanced environment, flexible work arrangements have emerged as a cornerstone of our new operating environment. Remote working has highlighted the need for businesses to have their cyber security arrangements in order and front-of-mind. Workplaces that choose to ignore the risks associated with technology or the threat of sophisticated cyber breaches increase their risk profile and exposure of an impact from cyber villains.

Cyber security is a critical part of the Information Age, it is vital for organisations to address their in-house processes and constantly improve future measures to remain competitive and retain consumer trust.

Recommendations
  • Evaluate the organisation’s current cyber security measures – these should be assessed in the same manner as any other organisational risk to protect critical processes and ensure continuity
  • Review the organisation’s current cyber security management plans and assess cyber risk and exposure to liability
  • Complete stress testing of the organisation’s cyber security framework to identify any potential breakdowns – it is essential to ensure that your response plans are easy to adopt in a rapid response timeframe
  • Consider the value proposition of cyber insurance – does the organisation’s existing cyber policy align with organisational risk profile.
Designing an effective cyber security framework

The key elements in designing an effective cyber and privacy risk management framework include:

  • Data mapping – understand the organisations data visibility, data channel flows, and users who have access (internal and external)
  • Data breach response plan – in the event of data breach impact, a concise and carefully-considered plan is essential for responding to data breaches as soon as they occur, and this should be reviewed and updated as part of general risk compliance procedures
  • Policies, practices, and procedures – establishing a governing body including a privacy officer and regular reporting to the Board on cyber risk issues
  • Staff training – keep vital information visible and located in an easy to access location. Where required, conduct employee workshops relating to the organisation’s cyber and privacy risk management framework
  • Supplier agreements – implement or update security measures relating to suppliers that are handling data on the business’s behalf. Ensure data breach containment, remediation, and notification clauses in agreements are up to date.
Avoid relegating cyber security to the “too hard” basket

Persistent doomsday messaging about cyber security and cyber attacks mischaracterises potential threats, creating complacency or inertia around this issue. Additionally, little understanding can unintentionally influence management to view it as too complex or technical – something that is best left to the IT specialists to worry about.

However, if cyber security is approached in the same way as any other risk to business, it can be managed effectively.

Essential elements to minimise cyber security risk include:

  • Developing a response team of internal and external resources with skills across a range of disciplines such as IT, cyber security risk, legal and PR/communications
  • Implementing a tailored cyber security framework for the organisation which protects critical business processes and assets from cyber attack
  • Introducing an effective and carefully selected policy of cyber insurance, which acts as a risk transfer device and funds the cost of implementing key elements of the cyber security framework (when necessary)
  • Conducting regular testing and evaluation of cybersecurity procedures and plans, and the capacity to effectively roll out in a critical event.
What can cyber insurance offer?

Cyber insurance can provide an important financial backstop in the event of a cyber incident which causes loss. Firms should consider the need for cyber insurance as part of their broader systems and policies to manage cyber security.

Generally, dedicated cyber insurance policies provide two branches of cover:

  • First party losses, which are those that are incurred by the insured party itself, including:
  • Cost of replacing and restoring lost or damaged data following a cyber attack
  • Loss of net income following a cyber event (business interruption)
  • Cost of PR and legal support in the event of a data breach
  • Cyber extortion costs.
  • Third party losses, or the liability of the insured party to third parties for a cyber incident. This can include:
  • Liability to third parties for failure of network security practices which result in a loss to a customer or client
  • Compensation to individuals affected by a data breach.

Insurable losses can also include liability to pay fines and penalties which are generally insurable where there is no element of deliberate breach or intentional actions.

There is minimal standardisation in the way cyber insurance is offered in the market.  Cover is generally available as a standalone policy, or as part of an existing coverage.  The needs of the individual organisation will determine which type of policy is most appropriate.  The buyer must have a clear understanding of the organisational cyber risk before settling on a particular insurer and policy wording.

McCullough Robertson can provide your business with a tailored assessment of your current cyber insurance policy and available options for appropriate cover. We guide our clients through the process of design, placement and/or renewal of insurance cover to ensure best fit for your current or anticipated risk profile. Our team also regularly supports clients with practical training for staff on best practices for managing cyber and privacy risks, helping develop and test clear, concise data breach response plans as well as auditing supplier agreements and mapping data flows to identify where the key risks may arise before they eventuate.

Cyber security webinar

On the 28th of April 2021, we will be hosting a webinar where we will explore the above topics further and explain why cyber security and cyber insurance play a critical part in your business strategy. You will also have the opportunity to ask questions to our expert panel. Be sure to register early for the webinar via this link.

To speak with our legal specialists, please phone (07) 3233 8888 or contact authors Stephen White and Jake Grant below.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Stephen White

    Partner
  • Jake Grant

    Special Counsel

In other news

The Commissioner’s Emporium: business registration breaking new ground

22 April 2021Insight
The critical importance of critical minerals

The critical importance of critical minerals

20 April 2021Insight

Native Title compensation – Lawson v Minister for Environment & Water (SA) (“Lake Victoria case”)

13 April 2021Insight

Department releases new Planning Agreements Practice Note

13 April 2021Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

        follow us

        CLIENT LOGIN

        newcastle

        Level 2, 16 Telford Street
        Newcastle NSW 2300
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3699
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

            © 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Statement of Business Ethics Credit Reporting Policy

            X