In our article dated 19 February 2018, we discussed the risks to your organisation that may occur from a data breach or cyber attack, and we suggested some steps that you could take to minimise that risk.
This article examines recent trends in cyber attacks and data breaches and what steps should be taken to minimise the risk of them occurring.
The Office of the Australian Information Commissioner reported that in the period between 1 July 2018 and 30 September 2018, 245 data breaches were notified in accordance with the requirements of the Privacy (Notifiable Data Breaches) Act 2018 (Cth) 1
Of those breaches:
Importantly, the second largest category of data breaches related to human error which included:
The vast majority of data breaches involved either disclosure of contact information or financial information in relation to an individual.
The cyber insurance market is still relatively new in the Australian market but it is an area of significant growth.
It is becoming more common for organisations to need to demonstrate that they have appropriate cyber security measures in place, and appropriate insurance cover, when tendering for work.
Whilst the number of cyber insurance policies taken out in Australia continues to increase steadily, there have only been a limited number of claims to date.
Although your organisation may already have cyber insurance in place, you cannot be complacent.
As the number of claims (inevitably) increases, policy wordings will be reviewed by insurers and further exclusion clauses will appear in cyber policies. Cyber wordings are changing regularly. You may find the coverage changes from policy to policy. Management and D&O policies are also changing in their treatment of cyber risks, which are now starting to be identified as governance issues in some cases.
You need to review the wording of your organisation’s current cyber policy carefully as it is likely to require that your organisation take reasonable measures to avoid cyber breach and data attack.
At this early stage, there is no judicial guidance available as to what will be considered to be reasonable measures.
At the very least, your organisations IT manager or external IT provider will need to ensure that your IT system is protected, as far as practicable from cyber attack.
Given the level of data breaches caused by human error, staff training is vital and is likely to be taken into account when insurers consider whether or not your organisation has taken reasonable measures to avoid a data breach of cyber attack.
Key areas that staff can be trained in to avoid your organisation being subject to a data breach or cyber attack are outlined below.
Staff should be instructed to:
Office of the Australian Insurance Commissioner – Notifiable Data Breaches, Quarterly Statistics Report 1 July 2018 to 30 September 2018