Australian regulators are likely to prosecute organisations that fail to implement adequate security measures to prevent cyber attacks.
That’s the warning from Colin Pausey, Emergence’s Chief Operating Officer.
Regulators have moved beyond a softer approach of educating organisations about their responsibilities and are likely to take action against those that fail to implement adequate cyber protection.
Colin says regulators have taken courage from a Federal Court case brought by the Australian Securities & Investments Commission (ASIC).
He predicts more prosecutions, particularly by the Office of the Australian Information Commissioner (OAIC), regardless of whether an organisation is a victim of crime, like a ransomware attack.
ASIC launched Federal Court proceedings against RI Advice Group after nine separate data breaches occurred between 2014 and 2020. The parties reached a settlement and the court’s 5 May 2022 judgement found RI had breached the Corporations Act by failing to have an “adequate risk management system”.
$750,000 contribution
The court said RI did not have “documentation and controls for cybersecurity and cyber resilience in place that were adequate to manage the risk [of] cybersecurity and cyber resilience across its authorised representative network”.
RI was ordered to engage an expert cyber security firm and report back to ASIC on measures taken within 30 days of receiving the firm’s report. It was significant that RI was not fined but had agreed to pay $750,000 towards ASIC’s prosecution costs.
Despite RI putting in place some cyber risk control measures before the 2020 incident the court said timeliness was an issue. Colin said: “The court declared RI had failed to do everything necessary to ensure the financial services covered by its Australian financial services licence were provided efficiently and fairly and failed to have adequate risk management systems.”
The court found cyber risk could not be reduced to zero, but risk management could reduce it to “an acceptable level”. The adequacy of that level was to be determined by people with technical expertise.
In the UK, the Information Commissioner’s Office (the OAIC equivalent) imposed a £98,000 penalty on a law firm that was a ransomware victim, because it had not implemented multi-factor authorisation (MFA) or patched against vulnerabilities, and had failed to encrypt personal information.
Those solutions may have avoided the firm being attacked or diluted the severity of the ransomware’s impact. Colin warns that regulators, including OAIC, can and will bring this type of action in Australia.
Cyber risk controls
Emergence has implemented minimum cyber risk controls required to obtain insurance under its new Cyber Enterprise cover for large corporates with revenues of more than $250 million. They are:
- MFA for remote access
- Strong patch management and privilege access management
- Backups stored securely and tested regularly
- Regular penetration tests
- Network segmentation to create barriers that make it harder for threat actors to enter
- Incident response plans that are regularly tested, including ransomware exercises.
Emergence’s underwriting guidelines for SMEs remain unchanged.
Trent Nihill, Emergence Head of Corporate, says an increase in ransomware attacks on large corporates, and moves by some insurers to limit ransomware from their coverage, impose sub-limits and require self-insured co-insurance layers, prompted Emergence to develop its Cyber Enterprise product.
Trent says the risk can be covered, providing insureds implement controls. “Our target market is not necessarily those with less risk, but those that understand the risk and invest in mitigation.”
Emergence, Australia’s only cyber specialist underwriter, is an award-winning underwriting agency, exclusively focused on providing flexible, innovative cyber insurance solutions to help protect individuals, families and businesses ranging from SMEs to ASX-listed companies.
Emergence was judged the 2019 Insurance Business magazine Underwriting Agency of the Year and was a finalist in that category in 2021.
In 2021, Emergence was awarded Insurance Business’s Brokers Pick for the sixth time in seven years and won its fourth consecutive gold medal in the Cyber & IT category of the magazine’s brokers on underwriting agencies awards.
To access the broker portal to obtain Emergence cyber quotations for your clients, email info@emergenceinsurance.com.au.