Report | Perspectives on Cyber Risk 2016

1 February 2016

Information and communications technology is increasingly the backbone of global economic growth. Billions of people across the globe rely heavily on ICT for work, communication, entertainment and almost every other facet of their everyday lives. So it is unsurprising, then, that cyber security is now of critical domestic and international concern.

MinterEllison surveyed C-suite and senior executives in IT, Legal and Risk with a view to providing insights into Australian organisations risk posture in relation to cyber attacks, cyber resilience capability, and intentions in adopting services that increase their cyber risk exposure, and the results are presented in this special report.

Executive Summary

Our survey results reflects that cyber attacks are occurring on a regular basis, across all organisations types, and in almost every industry; that cyber security is front of mind for many Australian organisations; and that for many (though not all) organisations, cyber resilience is considered a whole-of-enterprise challenge.

Our survey also found that many organisations perceive they have a satisfactory understanding of, and capability to prevent and deal with, cyber attacks. Unfortunately, this is not always reflecteddin the practical measures that organisations are adopting to mitigate cyber risk and increase their cyber resilience. In particular, many organisations are not adopting adequate data segmentation practices; consider cyber security to be an issue for the IT department or best left to their outsourced service providers; do not have a data breach response plan in place; do not regularly provide cyber security training to their employees and contractors; have not adequately considered or addressed supply chain risk; and have not adequately turned their mind to their insurance arrangements.

And this is despite the wide range of liabilities that organisations may be exposed to as a consequence of a cyber attack – including severe reputational damage to the organisation, large civil penalties, personal liability for directors and proposed laws for mandatory notification of serious data breaches back on the Federal Government's legislative agenda.

Key areas of focus for organisations over the next 12 months should include at least the following:

  • organisations that are subject to specific regulatory regimes should ensure they are fully compliant in relation to the protection of data held by them or their third party service providers
  • organisations should assess their current cyber resilience against published frameworks and the Australian Government Information Security Manual
  • individuals tasked with developing and monitoring the health of an organisation's cyber security policies and systems should ensure they are clearly aware of what is expected of them and are fully informed of potential vulnerabilities or attacks
  • every organisation should ensure that it has a data breach response plan which clearly sets out a framework for identifying, notifying and managing serious data security breaches, as well as business continuity and disaster recovery plans, all of which should be tested regularly to ensure their effectiveness
  • organisations should train all staff in cyber security measures, and give individuals an opportunity to report areas of potential cyber vulnerability
  • organisations should take prompt steps to assess and mitigate supply chain risk, including:

    • identifying and evaluating cyber risk throughout their supply chain to ensure suppliers, or the systems through which they engage the organisation, do not present unacceptable cyber risks
    • conducting thorough due diligence on new suppliers and key customers (including their cyber security training and screening processes and their general competence to manage and mitigate cyber risk); and
    • incorporating appropriate provisions in contracts (including provisions relating to data ownership and access, privacy and data protection, compliance with specifieddsecurity standards and disengagement)
  • organisations should consider sharing information on cyber security with peers outside their organisation to discuss strategies and enhance preparedness for potential future attacks, and
  • organisations should review their insurance arrangements and determine the suitability of cyber insurance in relation tho their risk profile.

 

 

Download the full report, Perspectives on Cyber Risk (PDF 1mb)

 

Meet our Cyber Security team

Paul Kallenbach
Partner
T +61 3 8608 2622
M +61 412 277 134 
Read my bio
Anthony Lloyd
Partner
T +61 2 9921 8648
M +61 411 275 811
Read my bio
Anthony Borgese
Partner
T +61 2 9921 4250
M +61 400 552 665
Read my bio
John Fairbairn
Partner
T +61 2 9921 4590
M +61 410 475 965 
Read my bio
       
 
Cameron Oxley
Partner
T +61 3 8608 2605
M +61 417 103 287
Read my bio
Veronica Scott
Special Counsel
T +61 3 8608 2126
M +61 411 206 248 
Read my bio
Leah Mooney
Special Counsel
T +61 7 3119 6230
M +61 421 587 950
Read my bio