Cyber insurer warns regulators will act on inadequate security
Businesses have been advised to ensure they have appropriate cyber protection measures as regulators look to adopt a more aggressive approach to enforcement.
Cyber underwriter Emergence Insurance COO Colin Pausey warns that regulators are “likely to prosecute” organisations that do not have adequate safeguards against cyber-attacks.
Mr Pausey says the recent example of the Australian Securities and Investments Commission (ASIC) taking action against RI Advice Group following nine separate data breaches between 2014 and 2020 should act as a forewarning for businesses.
“Regulators have taken courage from a Federal Court case brought by the Australian Securities and Investments Commission,” Mr Pausey said at a broker webinar.
“There will be more prosecutions, particularly by the Office of the Australian Information Commissioner (OAIC), regardless of whether an organisation is a victim of crime, like a ransomware attack.”
The May 5 Federal Court judgement found that RI breached the Corporations Act by failing to have an “adequate risk management system” against the attacks.
RI was required to engage with cybersecurity experts and report to ASIC on measures taken. The financial group was not fined but did agree to pay $750,000 towards ASIC’s prosecution costs.
Mr Pausey says a critical issue with RI was its poor timeliness in introducing appropriate means to protect against cyber-attacks.
He says businesses shouldn’t be expected to reduce cyber risk to zero but that courts will require “an acceptable level” of protections implemented.
Mr Pausey referred to the UK OAIC equivalent, the Information Commissioner’s Office, which imposed a £98,000 ($170,452) fine for a law firm that had been a ransomware victim because it did not have multi-factor authorisations (MFA) and failed to encrypt personal information, as a likely example of some of the changes in regulator behaviour.
“These solutions may have avoided the firm being attacked or diluted the ransomware impact’s severity. Regulators, including OAIC, can and will bring this type of action in Australia,” Mr Pausey said.
Emergence Corporate Head Trent Nihill says the underwriter has introduced minimum cybersecurity requirements for clients with revenues over $250 million following an increase in ransomware attacks on larger corporations.
Under its new Cyber Enterprise cover policy, corporates are required to have MFA, secured backup servers, and regularly tested incident report plans. No changes have been made for SME clients.
“The risk can be covered, providing insureds implement controls,” Mr Nihill said.