News & Insights

Do you have a strategy for handling a cyber attack?

Published 19 April 2019

Does your business have a plan for meeting data breach penalties and costs? With the Marriott group facing a potential $915 million fine for its 2018 data breach, organisations of any size are facing the need for contingency strategies.

On top of Australia’s Mandatory Data Breach Notification and the General Data Protection Regulation (GDPR) coming into effect in 2017, proposed changes to the Privacy Act 1988 are set to introduce increased penalties, making data breaches more costly ‒ and cyber insurance a necessity for any company that stores personal data.


With draft legislation timed for consultation in the second half of 2019, businesses of all sizes should be aware of the proposed amendments which also cover online and social media platforms, and include

  • an increased maximum penalty for repeated breaches of personal data of $10 million or
  • 3 times the value of any misuse of information or
  • 10% of a company’s annual domestic turnover, whichever is greater.

The OAIC will gain new infringement powers to impose penalties for failure to cooperate with efforts to resolve minor breaches of

  • up to $63,000 for bodies corporate
  • up to $12,000 for individuals.

They will also be able to

  • publish notices about breaches and the companies involved
  • notify individuals whose personal information has been accessed by a cyber attack.

This will directly affect breached organisations’ reputations – and their bottom lines.

According to legal firm Clyde & Co, in the event of a security breach businesses should be prepared to demonstrate that they have adequate systems in place to protect personal data, and that includes considering cyber insurance as a risk mitigation strategy to assist with the costs and potential liabilities involved.

“Cyber insurance provides a safety net for businesses and provides assurance that they can pay compensation to individuals whose data has been compromised”

Robyn Adcock, Cyber Technology Practice Leader at Gallagher

“By taking a proactive approach to data protection, organisations can also improve their risk profiles and lower their premiums.”

An organisation can build a stronger case for claims being approved in the case of a data breach by auditing themselves in advance of seeking insurance cover. First steps include

  • identifying what kind of data is stored and the level of security it is defended by
  • ascertaining that appropriate access controls are in place
  • assessing whether current security is adequate.

Demonstrating preparedness is an important aspect of reducing risk, Finance Derivative advises. An essential requirement is a data breach response plan.

“The faster an organisation can react, and the more it can minimise any potential damage, the lower its premiums will be," Adcock continues.

These basics help to quantify your risk to a potential insurer and they also provide a road map to the preventative actions your organisation needs to take. Today the reality is that every business could fall victim to a cyber attack, but preparedness is the key to surviving and moving on.

“Cyber insurance is designed to meet a variety of different challenges that can arise in the event of a data breach,” Adcock says. “We can help businesses proactively manage their risk exposures.”

Talk to a Gallagher cyber specialist about how we can help you limit your cyber security exposure.

Connect with an expertchevron-right


Further reading

Cyber insurance

Do I need cyber-liability insurance?


Negotiating with a hacker in a ransomware attack on a business
Cyber | Article

Negotiating with a hacker in a ransomware attack on a business

07 July 2022
Legal penalty highlights businesses’ cyber security obligations
Cyber | Article

Legal penalty highlights businesses’ cyber security obligations

21 June 2022
Adapting your risk management protections to match evolving cyber cover
Cyber | Report

Adapting your risk management protections to match evolving cyber cover

31 May 2022