Legal penalty highlights businesses’ cyber security obligations

The first legal case against a financial services company for failing to meet mandatory cyber security requirements was brought recently by the Australian Securities and Investments Commission (ASIC). The conviction and $750,000 penalty are an important warning that businesses will be held to account for failure to have adequate risk management systems to manage cybersecurity exposures.

The company in question sustained 9 cyber security incidents via its authorised representatives between June 2014 and May 2020. The breaches involved about 60,000 of the business’s clients whose sensitive information was electronically compromised by the company’s representatives. In one case a file server was hacked without detection for 5 months.

The legal judgement found the parent company breached Australian Financial Services (AFS) licensee obligations under the Corporations Act. The business was ordered to engage a cyber security expert to advise on measures required to improve the network’s security and cyber resilience, and to report progress back to ASIC.  

In ordering this the judge made a distinction between cyber security and cyber resilience, defining cyber security as “the ability to protect and defend a business’s use of cyberspace (digital or computer technologies, systems or networks) from attacks” and cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyberspace”. They were also advised that cyber security controls need to be ongoing to anticipate evolving risks.
 

business_fined_for_lack_of_cyber_security_650x250.png

Implementing a strategic approach to cyber resilience

Gallagher Cyber / Tech Practice Leader Robyn Adcock advises that commitment to cyber resilience and undertaking ongoing security measures needs to be an executive level concern. 

“For many businesses cyber security hasn’t been a board-level topic, instead it has been dealt with by outsourced managed service providers and IT departments,” she notes, stressing that knowing how to respond is key to effectively managing a cyber incident.

“Achieving cyber resilience requires businesses to be prepared, know what to do if a breach occurs and quickly to minimise damage.” 

Having cyber insurance cover provides practical assistance with this, enabling access to skilled resources for detection, securing data and remediation, and businesses need to be proactive about cyber security risk management if they are to secure cover.

Typically cyber security risk management measures might involve

• obtaining an independent audit of the business’s cyber maturity to ascertain specific risk management and mitigation needs
• integrating cyber risk measures into the business’s strategy to ensure application throughout the organisation
• ensuring risk management processes and systems are fit for purpose for business operations 
• undertaking training and monitoring to reinforce the need for standardised practices
• regularly having an expert review systems for currency with evolving cyber security risks 
• timely implementation of recommendations made regarding changes to risk management and incidence response measures.
   

Meeting insurer expectations of business cyber risk maturity

Adcock warns that for insurers cyber risk maturity benchmarks are shifting with the increasing prevalence and scope of breach incidents.  

“Demand for cyber insurance continues to increase at such a rate Insurers are looking to see best practice security controls in place before providing access to insurance and this baseline measurement has significantly evolved over the last twelve months. This measurement is in line with the size and type of business,” she says. 

“Insurers want to see more than just technical cybersecurity controls. They are looking for a holistic approach to cyber hygiene and vigilance that is embedded in the company’s culture.”

This applies not only to the business itself but also to its business partners and vendors, she says. “This will be increasingly important as insurers will need to assess whether their clients understand their vendor partners’ maturity level and if they are weak security links.  Insurers will also be assessing their aggregated risks at a portfolio level.”
 

How Gallagher can help businesses with managing cyber risks

Our cyber security experts can assist businesses with addressing underwriter questions, strategies for improving cyber security vulnerabilities and obtaining optimal cyber insurance coverage.