Cyber-security regulators have increased scrutiny and enforcement when it comes to cyber risk, according to a new report from a national law firm.
MinterEllison’s Perspectives on Cyber Risk 2021 report states that when it comes to cyber risk, regulators have begun elevating enforcement action to board and executive levels and increased their focus to decrease the risk of attacks.
The report, in its sixth year, noted that there are cyber-risk regulatory changes relating to privacy, data protection and governance, with ASIC and the ASX increasing their focus and action. Significant changes to Australia’s privacy landscape are also coming into focus.
Last year, ASIC took its first cyber-related enforcement action against RI Advice Group, an Australian financial services licensee, for failing to implement adequate policies and systems and manage cyber risk effectively.
According to the report, almost 40 per cent of survey respondents faced increased cyber-security risks because of the shift to remote working. Others found that COVID-19 exposed hidden cyber issues. Despite this, the number of companies using an external cyber framework remains low, with less than 50 per cent of organisations taking steps to assess their cyber-security measures using a proper framework.
MinterEllison partner Paul Kallenbach said that the awareness of cyber risk had increased substantially within both the director community and the non-tech executive community.
“Six years ago, we were imploring those at the top of organisations to take notice of this issue – it is now expected that cyber risk has a high profile at board level,” he said.
MinterEllison found that more organisations are testing their data breach response plans, but this is still not enough, and more needs to be done to protect against cyber attacks. The report revealed that 55 per cent of survey respondents indicated that their data breach response plans were being tested at least annually, compared with 34 per cent last year. Those firms that are not regularly testing their plans operate at a higher risk.
However, individuals remain the prime targets of cyber attacks. Despite the high-tech nature of some attacks, 70 per cent of incidents arose from phishing attacks with fraudulent emails – and the report emphasised the need for a critical focus of cyber-security planning within this area, as well as for individuals generally.
The existence and regular testing of data breach response plans are more prevalent in larger organisations, particularly those that have previously dealt with cyber attacks, such as the financial services sector.
“Unfortunately, the most effective lever to persuade an organisation to test its data breach response plan is for it to suffer a serious cyber risk incident. Such an incident will take a company from having a plan to testing that plan,” Mr Kallenbach said.