New research released today by MinterEllison shows that only 40% of organisations are prepared for Australia's incoming Notifiable Data Breaches (NDB) scheme and have reviewed their policies, data breach response plans, and security controls.
That 60% of businesses still need to take further action is one of the key findings of this year’s 'Perspectives on Cyber Risk 2018’ annual survey of C-level executives, CIOs, risk and legal managers about their strategies and preparedness to effectively manage cyber risk, and increase their cyber resilience and ability to effectively manage cyber risk.
"Our findings show that while most Australian organisations are well aware of cyber risk and the need to address it, much remains to be done to increase their resilience to meet requirements of the NDB Scheme," said MinterEllison Partner Paul Kallenbach, Head of Cyber Security. "There is a distinct risk for those not prepared, given that cyber incidents are occurring – and will continue to occur – with ever greater frequency, severity and impact."
The new NDB regime, set to commence on 22 February, means that data breach notification for 'eligible data breaches' will be mandatory for almost all Australian organisations that are subject to the Privacy Act 1988. The scheme poses regulatory, monetary, and reputational risks for those who are not sufficiently prepared.
Mr Kallenbach said that the NBD scheme is intended to give Australians more control over their personal information (whether online or offline).
“We welcome the NBD scheme and it is not before time,” he said. “Not only does it reflect emerging international practice, but it will provide affected individuals with the opportunity to take steps to protect their personal information following a data breach. Our Firm recommends organisations focus on understanding and documenting their data and information flows; prepare, test and update their incident response plans; and provide regular training to staff at all levels. It’s vital they do this, as cyber attacks are here to stay and pose a serious risk issue for government and business.”
On that theme, ‘Perspectives in Cyber Risk 2018’ also shows that just 54% of respondents had a cyber incident response plan in place (up from 42% in 2016). This is despite more than a third indicating that they were subject to at least one cyber incident in the last 12 months that compromised their systems or data.
“This year’s report shows there was a decrease in the percentage of organisations that say they audit their suppliers’ IT security practices at least annually (from 34% in 2016 to 21% in 2017) and, in an environment of increasing adoption of cloud services, that’s also a key area where risk management for cyber should be focused,” said Mr Kallenbach.
Veronica Scott, leader of MinterEllison's National Privacy Group, said the Cyber Risk report echoes the advice of Timothy Pilgrim, Australian Information Commissioner and Australian Privacy Commissioner, who has expressed the view to the Firm that, "If an entity knows what information it holds, who handles it, who is responsible for it, where it is held, and how it is protected, then the entity can ensure its data breach response plan is as effective as possible."
"An important finding from this year's report is that the uptake of cyber insurance continues to rise (from 39% in 2016 to 62% in 2017)," notes Leah Mooney, Special Counsel in MinterEllison's Insurance & Corporate Risk team. "However, whilst cyber insurance is a useful risk management measure for many organisations, it is important to recognise it is not a panacea and must form part of a wider toolkit of cyber risk management measures."
