The threat of cyber risk in Australia: The regulatory, insurance and security view
Cyber risk and cyber attack discussions can often seem to be all doom and gloom, but there are numerous proactive strategies that businesses can still take, writes Melinda Woledge.
How can companies best defend themselves against a cyber attack? Will a regulator such as the Australian Securities and Investments Commission (ASIC) take enforcement action if there is a breach? What do companies have to do to obtain cyber insurance, and what does it cover? These were some of the questions explored by a panel of specialists from the legal, regulatory, insurance and security sectors at Hall & Wilcox’s Tech Week event that put a spotlight on cyber.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Facilitated by Hall & Wilcox’s head of cyber Eden Winokur, the panel featured Phil Magness (senior manager, markets enforcement, ASIC), Paul Pratley (principal consultant – incident response, CrowdStrike Services), and Hannah Morgans (growth leader, Pacific, cyber practice, Marsh). The wide-ranging discussion explored the current cyber risk landscape, including ASIC’s approach to cyber, risk mitigation, the cyber insurance market and latest trends.
How prepared are Australian companies to withstand a cyber attack?
There is more for Australian companies to do to be prepared to respond to cyber attacks. Paul Pratley said one of the issues is many organisations lack the ability to evaluate cyber threats.
“That really comes down to a lack of understanding of how cyber attacks work,” he said.
“The level of understanding around cyber attacks is that it’s all about malware and malware is like magic. It does magical things and operates in a way that isn’t really understood.
“[But] you don’t have a malware problem, you have a threat actor problem. You have an adversary, a human behind that technology that has objectives and goals.”
Mr Pratley said most organisations in Australia, whether a well-funded top-tier financial services business or a small company, were not prepared for cyber compromises and were vulnerable to focused and well-resourced cyber attacks.
“Most organisations plan to fend off attacks but don’t really plan for how to defend their environments and recover from these attacks. People don’t plan to fail but that’s really what you should be doing. You should be planning to fail and making sure … you are really well prepared to defend your network and recover your business,” he said.
Mr Pratley’s observation is backed up by a new report from the Governance Institute of Australia, which found that many boards and leaders are under-skilled and struggling to keep up with a fast-changing digital landscape. The Driving the digital revolution: A guide for boards surveyed nearly 500 chief executives/C-suite executives, non-executive directors, senior governance and risk professionals, and a working group of digital experts. It found more than half of the respondents had few, if any, directors with technology skills as part of their core skill set. Twenty-one per cent of organisations do not have a digital transformation underway.
Mr Pratley recommended that companies carry out testing to break their systems, in order to identify the flaws and weak spots and work on fixing them.
Phil Magness said it was important for companies to test every part of a response to a data breach, not just the technical aspects.
“In advance [of an incident], organisations need to test other aspects. What is their policy in relation to paying a ransom? What if the ABC rocks up at the front door, who is going to speak? Do we have a pre-defined list of frequently asked questions? How would we stand up a core response team? All of those sorts of non-technical aspects are often not thought about in terms of a pretty serious incident occurring,” Mr Magness said.
What is the regulator’s view?
Cyber attacks and ransomware can severely impact business operations and result in the theft of commercially sensitive information. This may trigger obligations under ASIC reporting regimes. Mr Magness said that from an enforcement perspective, ASIC is focused on continuous disclosure obligations, directors’ duties and other regulated entities that hold Australian financial services licences. He said that where companies have egregiously failed to meet their obligations that enforcement action may be undertaken.
“ASIC is well aware that we cannot eliminate cyber risk completely. We can never make it zero. There will always be risk. We look at it from the perspective of corporate governance structures and cyber resilience,” he said.
“We also know that how a company implements safeguards and controls has to be proportionate to their size and complexity … but where there has been egregious failures of a company or a director or any participant in the financial services market, then ASIC will consider enforcement action and will consider that with a view to driving behavioural change.”
What about cyber insurance?
Hannah Morgans said cyber insurance is currently in a hard market with premiums increasing and insurers requiring more stringent network security standards. While this may mean obtaining a policy is more challenging, it also has the effect of improving the overall network security standard of Australian companies that are seeking to obtain cyber insurance.
A surprising figure is that only a small number of Australian corporates, with annual revenue in the range of approximately $30-500 million, have cyber insurance. Ms Morgans estimated the number of companies in that category that held cyber insurance with Marsh, one of the leading global cyber insurance brokers, to be 5 to 7 per cent.
“It’s shockingly low just how many smaller corporates don’t obtain cover. Unfortunately, they are very much a target,” she said.
“Cyber is [still] an emerging risk. Technology is permanent in everyone’s life, especially with COVID. Cyber insurance is here to stay and will only continue to be in demand, but it’s a safety net. We need to make sure we are educating businesses that you need to be at a certain standard,” she said.
Mr Pratley said that cyber insurance was necessary and useful but something that many companies would hope they never needed to use.
“Cyber insurance can’t work magic. It can’t recover data that’s lost, it can’t restore the reputation of your business. It can help you, there’s a lot of very useful aspects that it can help you with. But at the end of the day, you don’t want to be in a position where you need to call on cyber insurance,” he said.
Mr Winokur cited research that showed at the beginning of 2022, the gross written premium globally for cyber insurance was around US$9.2 billion. This figure is predicted to grow to US$22 billion by 2025. Ms Morgans said that figure was not surprising.
“Demand is consistently increasing. The cyber threat is building and increasing. But cyber insurance has also played an instrumental part in helping businesses to uplift. It’s increased the level of security for a lot of these businesses,” he said.
While it can be a shock to be turned down for cyber insurance, Mr Winokur said it should instead be seen as a wake-up call for the company to fix its systems.
Cyber risk and cyber attack discussions can often seem to be all doom and gloom. The session wrapped up with some proactive strategies companies can take to better protect themselves. These include:
Be proactive. Break your systems regularly, identify weak spots and fix them;
Train your people. Cyber is a people risk. Ensure you have highly skilled and technically capable people on your team;
Test your systems comprehensively, both technological and other business continuity/response processes; and
Ensure systems are properly backed up, including those not connected to network, and have a high level of logging turned on.