The first legal case against a financial services company for failing to meet mandatory cyber security requirements was brought recently by the Australian Securities and Investments Commission (ASIC). The conviction and $750,000 penalty are an important warning that businesses will be held to account for failure to have adequate risk management systems to manage cybersecurity exposures.

The company in question sustained 9 cyber security incidents via its authorised representatives between June 2014 and May 2020. The breaches involved about 60,000 of the business's clients whose sensitive information was electronically compromised by the company's representatives. In one case a file server was hacked without detection for 5 months.

The legal judgement found the parent company breached Australian Financial Services (AFS) licensee obligations under the Corporations Act. The business was ordered to engage a cyber security expert to advise on measures required to improve the network's security and cyber resilience, and to report progress back to ASIC.

In ordering this the judge made a distinction between cyber security and cyber resilience, defining cyber security as "the ability to protect and defend a business's use of cyberspace (digital or computer technologies, systems or networks) from attacks" and cyber resilience as "the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyberspace". They were also advised that cyber security controls need to be ongoing to anticipate evolving risks.

Implementing a strategic approach to cyber resilience

Gallagher Cyber / Tech Practice Leader Robyn Adcock advises that commitment to cyber resilience and undertaking ongoing security measures needs to be an executive level concern.

"For many businesses cyber security hasn't been a board-level topic, instead it has been dealt with by outsourced managed service providers and IT departments," she notes, stressing that knowing how to respond is key to effectively managing a cyber incident.

"Achieving cyber resilience requires businesses to be prepared, know what to do if a breach occurs and quickly to minimise damage."

Having cyber insurance cover provides practical assistance with this, enabling access to skilled resources for detection, securing data and remediation, and businesses need to be proactive about cyber security risk management if they are to secure cover.

Typically cyber security risk management measures might involve

  • obtaining an independent audit of the business's cyber maturity to ascertain specific risk management and mitigation needs
  • integrating cyber risk measures into the business's strategy to ensure application throughout the organisation
  • ensuring risk management processes and systems are fit for purpose for business operations
  • undertaking training and monitoring to reinforce the need for standardised practices
  • regularly having an expert review systems for currency with evolving cyber security risks
  • timely implementation of recommendations made regarding changes to risk management and incidence response measures.

Meeting insurer expectations of business cyber risk maturity

Adcock warns that for insurers cyber risk maturity benchmarks are shifting with the increasing prevalence and scope of breach incidents.

"Demand for cyber insurance continues to increase at such a rate Insurers are looking to see best practice security controls in place before providing access to insurance and this baseline measurement has significantly evolved over the last twelve months. This measurement is in line with the size and type of business," she says.

"Insurers want to see more than just technical cybersecurity controls. They are looking for a holistic approach to cyber hygiene and vigilance that is embedded in the company's culture."

This applies not only to the business itself but also to its business partners and vendors, she says. "This will be increasingly important as insurers will need to assess whether their clients understand their vendor partners' maturity level and if they are weak security links. Insurers will also be assessing their aggregated risks at a portfolio level."

How Gallagher can help businesses with managing cyber risks

Our cyber security experts can assist businesses with addressing underwriter questions, strategies for improving cyber security vulnerabilities and obtaining optimal cyber insurance coverage.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312