The legal obligations following notifiable data breaches are getting more onerous as regulations tighten.
Emergence Insurance Cyber Breach Coach Peter Furst told more than 2,300 brokers at an Emergence webinar that the Office of the Australian Information Commissioner (OAIC), the government body to which eligible data breaches must be notified, is taking a broad interpretation of what breaches are “likely to result in serious harm” and therefore notifiable.
Blake Baxter, Emergence’s Head of Claims & Incident Response, detailed a claim in which a not-for-profit (NFP) body had been deemed a “health services provider”, so OAIC had to be notified of a breach, regardless of the organisation’s NFP status or revenue generated. Fixing the problem, after 22GB of data was exfiltrated from an email mailbox, cost more than $150,000.
In another Emergence claim, threat actor REvil inserted ransomware into an organisation’s network. Good backups avoided any engagement with REvil, but containment and IT forensics still amounted to a $125,000 claim.
The threat landscape is increasingly sophisticated with lone wolves being replaced by major enterprises that even sell ‘ransomware as a service’, making it simple for cyber crooks.
Increased legal obligations may include removal of the small business exemption from the Privacy Act, meaning all entities will have to report breaches to the OAIC, and the introduction of a tort of privacy, which could see organisations paying compensation to those affected by breaches.
Peter says the Federal Government is committed to strengthening Australia’s cyber security regulations and incentives and a review is in progress, which will likely increase the emphasis on making organisations resolve data breaches quickly and efficiently.
From 1 October, for AFSL holders, more types of breaches will be deemed “significant”, making notification essential.
Peter’s top mitigation tips are:
- Multi-factor authentication
- Regular back-ups that are tested frequently
- Updating software and patches
- Implementing a data retention policy that avoids storing data too long and in insecure locations
- Adopting a principle of least privilege, so fewer people have high-level network access.
Gerry Power, Emergence’s National Head of Sales, said too many organisations have “blind faith” in their IT and managed service providers but “the reality is you get what you pay for”. “Clients often don’t think about their agreements with external providers, which usually limit liability through ‘all care and no responsibility’ clauses.”
That’s why cyber insurance is an important defence.
The webinar included the launch of Emergence’s Personal Cyber Express technology which gives brokers co-branded portals to enable their clients to easily buy personal cyber protection policies to protect individuals and families.
Emergence Senior Underwriter Tim Barrett said the launch of Personal Cyber Express followed broker feedback that they wanted the ability to distribute Emergence’s personal cyber protection product via their own websites and give clients the ability to buy it themselves online.
Brokers can request access to Personal Cyber Express here. (One request per brokerage, please.) Emergence can provide a range of email signature blocks for brokers and other marketing and distribution ideas and assistance.
Emergence is the only underwriting agency with an inhouse claims management and incident response team. Emergence’s cyber breach coaches – the first responders when an incident occurs – are a no-cost service that does not erode an insured’s policy limit or activate the policy excess.
Emergence is an award-winning underwriting agency, exclusively focused on providing flexible, innovative cyber insurance solutions to help protect all Australians, including businesses ranging from SMEs to ASX-listed companies, and individuals and families.
Emergence was judged the 2019 Insurance Business magazine Underwriting Agency of the Year and is a finalist in that category for 2021. Emergence was a finalist in the same category at the 2019 ANZIIF-Asia Insurance Review awards. (There were no ANZIIF-AIR awards in 2020.)
Last year Emergence was awarded Insurance Business’s Brokers Pick for the fifth time in six years and won its third consecutive gold medal in the Cyber & IT category of the magazine’s brokers on underwriting agencies awards.