At Sydney Insurance Brokers we are spending more time than ever dealing with the rising incidence of cybercrime, and the changing regulatory environment in which Australian businesses that hold private information must operate. A recent KPMG report on cyber-protection found the following states of preparedness:
|Country||Fully Prepared||Somewhat prepared, but not where we need to be||Not Sure|
As you can see, Australian cybersecurity has much room for improvement. Judging from the volume of enquiry we are getting, though, that is changing.
One of the difficulties in this fast-changing field of risk is that most managers, particularly those in SMEs, are not fully aware of the risks they face, and of their statutory data protection obligations – particularly since both are rapidly changing.
One statutory development that SMEs need to be particularly alert to concerns the reporting of data breaches. Anyone who finds that the confidentiality of information they hold on behalf of third parties ought to report the event, whether or not they are legally obliged to do so. Unfortunately, Australian businesses have proved reticent about this, with many reluctant to initiate time-consuming proceedings which they see as having little prospect of success.
Whether this pessimism is justified or not, we believe the matter may soon be taken out of their hands, if legislation currently in the making passes into law. Under the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 the reporting obligations that currently apply only to large businesses will be extended to any business with an annual turnover greater than $3 million.
This means that a very large number of SMEs will be legally required to report “serious data breaches”. A serious data breach occurs whenever there is unauthorised or otherwise improper disclosure of information which could result in serious harm or infringement of privacy to individuals to whom the information relates.
Even exemplary cybercrime defences can still be breached, and organisations should have an integrated cybersecurity policy which includes insurance.
Risks from cybercrime are more diverse than many managers appreciate. As well as the threat to the security of banking, and the damages that can be awarded to third parties whose information is misused, the interruption to normal business following an attack can be extensive. Insurance underwriters expect that around 60% of business interruption claims will arise from cyberattacks.
Don’t just hope for the best – if your business isn’t fully protected, give us a call at Sydney Insurance Brokers, and talk to a cyber-insurance expert today.