The first legal case against a financial services company for failing to meet mandatory cyber security requirements was brought recently by the Australian Securities and Investments Commission (ASIC). The conviction and $750,000 penalty are an important warning that businesses will be held to account for failure to have adequate risk management systems to manage cybersecurity exposures.
The company in question sustained 9 cyber security incidents via its authorised representatives between June 2014 and May 2020. The breaches involved about 60,000 of the business’s clients whose sensitive information was electronically compromised by the company’s representatives. In one case a file server was hacked without detection for 5 months.
The legal judgement found the parent company breached Australian Financial Services (AFS) licensee obligations under the Corporations Act. The business was ordered to engage a cyber security expert to advise on measures required to improve the network’s security and cyber resilience, and to report progress back to ASIC.
In ordering this the judge made a distinction between cyber security and cyber resilience, defining cyber security as “the ability to protect and defend a business’s use of cyberspace (digital or computer technologies, systems or networks) from attacks” and cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyberspace”. They were also advised that cyber security controls need to be ongoing to anticipate evolving risks.
Implementing a strategic approach to cyber resilience
Gallagher Cyber / Tech Practice Leader Robyn Adcock advises that commitment to cyber resilience and undertaking ongoing security measures needs to be an executive level concern.
“For many businesses cyber security hasn’t been a board-level topic, instead it has been dealt with by outsourced managed service providers and IT departments,” she notes, stressing that knowing how to respond is key to effectively managing a cyber incident.
“Achieving cyber resilience requires businesses to be prepared, know what to do if a breach occurs and quickly to minimise damage.”
Having cyber insurance cover provides practical assistance with this, enabling access to skilled resources for detection, securing data and remediation, and businesses need to be proactive about cyber security risk management if they are to secure cover.
Typically cyber security risk management measures might involve
obtaining an independent audit of the business’s cyber maturity to ascertain specific risk management and mitigation needs
integrating cyber risk measures into the business’s strategy to ensure application throughout the organisation
ensuring risk management processes and systems are fit for purpose for business operations
undertaking training and monitoring to reinforce the need for standardised practices
regularly having an expert review systems for currency with evolving cyber security risks
timely implementation of recommendations made regarding changes to risk management and incidence response measures.
Meeting insurer expectations of business cyber risk maturity
Adcock warns that for insurers cyber risk maturity benchmarks are shifting with the increasing prevalence and scope of breach incidents.
“Demand for cyber insurance continues to increase at such a rate Insurers are looking to see best practice security controls in place before providing access to insurance and this baseline measurement has significantly evolved over the last twelve months. This measurement is in line with the size and type of business,” she says.
“Insurers want to see more than just technical cybersecurity controls. They are looking for a holistic approach to cyber hygiene and vigilance that is embedded in the company’s culture.”
This applies not only to the business itself but also to its business partners and vendors, she says. “This will be increasingly important as insurers will need to assess whether their clients understand their vendor partners’ maturity level and if they are weak security links. Insurers will also be assessing their aggregated risks at a portfolio level.”
How Gallagher can help businesses with managing cyber risks
Our cyber security experts can assist businesses with addressing underwriter questions, strategies for improving cyber security vulnerabilities and obtaining optimal cyber insurance coverage.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective.