The Department of Immigration & Border Protection (DIBP) recently released a statement in relation to Cyber security and their preparedness should an attack occur to their IT infrastructure.
Whist it's encouraging to note that despite the complex and cross jurisdictional environment the DIBP operates in, as at the date of the statement, there have been no successful attacks to their IT infrastructure. Interestingly, the DIBP have completed major program to mitigate cyber risks, however, they acknowledge there is still more work to do.
The Australian government's Cyber Security Strategy estimates cybercrime costs the country $17 billion annually.
Meanwhile, global cybersecurity company, Symantec, reports that 2015 saw over one million cyber attacks each day, including a record setting total of nine "mega-breaches" – defined as those in which more that 10 million records were compromised or stolen.
Mandatory Data Breach Reporting now a reality
Members may also be aware that the Federal Government has acted to prevent companies from hiding significant data breaches that impact the general public they service by passing the Privacy Amendment (Notifiable Breaches) Bill 2016 on 22 February 2017. Mandatory data breach notification requirements will commence 12 months after that date. To comply with the new privacy law, organisations need to ensure that by the 22 February 2018 they have reviewed and updated their Privacy procedures to document what needs to be done in the event of an eligible data breach including giving notice to affected individuals as well as notifying the regulator.
This legislation will see all entities governed by the Act, and those with annual turnover of more than $3 million will be subject to mandatory reporting of "eligible data breaches" to the Office of the Australian Information Commissioner (OAIC), plus any affected at risk individuals. Failure to comply could lead to fines of up to $1,800,000 for an organisation or $360,000 for an individual.
For further information about who is subject to the Privacy Act, please visit the website of the OAIC at www.oaic.gov.au/privacy-law/rights-and-responsibilities.
The threat is real
Recent high profile incidents include:
- a security breach at the Red Cross where over half a million blood donors personal records have been compromised,
- in 2 separate security breaches at Yahoo, thieves stole the personal data of 1.5 billion Yahoo users, and
- Census Australia where their website was subject to Denial of Services attacks.
The costs of a cyber breach extend way beyond the fall out of lost or corrupted data. Members should factor in damage to reputation, physical and intellectual property, plus disruption to operations.
This is a timely reminder that adopting a "she'll be right" attitude is potentially an expensive and naive response to a growing and known challenge.
Minimise risks
Given that Cyber attacks are now considered to be an everyday reality, members should commence a process to review their potential cyber threats and be properly prepared for the consequences of any attacks.
The good news is that there are insurance products available which provide cover for these specific Cyber and Privacy breach exposures. In additional to providing monetary cover, some insurers have engaged dedicated and experienced IT breach response teams, which include specialist lawyers, IT forensic investigators and consultants with the aim of ensuring that they achieve the best possible outcomes for their clients.
We recently met with one of our insurance company partners and they made us aware of a recent claim lodged under their Cyber Liability product.
Their client was a freight forwarder. A disgruntled ex-subcontractor hacked the forwarder's network multiple times with the intention of disrupting business operations.
As a result of the attacks, the forwarder's network was down for 21 days. This included the forwarder's cargo/order tracking software and web based warehouse management system, which was severely compromised. This resulted in the forwarder's customers having no on line visibility which caused stress and anxiety for the forwarder and their customers.
The forwarder's woes continued as the IT issues spread upstream to their international partners.
The insurer responded by engaging a specialised service provider to locate and rectify the main cause of the disruption and to facilitate the restoration of the entire network.
The insurer settled the claim for $280,000 which was made up of $110,000 in Defence Costs and $170,000 paid out in relation to IT expenses and lost income for the time the network was down.
Would your business be ready to respond to an incident like this? How would you cope if you were uninsured?
For more information about how we can assist members with this vital coverage, please call our insurance advisor, James Cotis at jcotis@FTAlliance.com.au .