Data legislation ‘will transform business landscape’
Mandatory reporting of data breaches will transform the Australian business landscape and push cyber insurance to the fore, QBE has warned.
Legislation passed in the Senate earlier this year requires reporting of any breaches to the privacy regulator and affected customers.
In a new paper on cyber insurance, QBE says businesses should ensure stringent data management and cyber security is in place, or risk severe consequences.
Notification costs can be crippling, with US research indicating the average cost per lost or stolen record at $US221 ($297.89).
QBE Cyber and Technology Specialist Ben Richardson says the new legislation emphasises the need for cyber-security practices to be escalated and reviewed.
“It means, certainly as far as ASX-listed companies go, that if the data breach is serious enough to affect the share price or a specific class of individuals, such as employees, then legal and regulatory action against directors and officers will move into scope,” he said.
“This clearly illustrates the need for cyber security to shift from the IT desk to the boardroom.
“In future, company boards will need to ensure they are well across their organisation’s security practices and encourage a strong security culture to avoid being placed in the firing line.”
Mr Richardson says while the turnover threshold for mandatory reporting is $3 million, SMEs should still be vigilant.
“We’re starting to see criminals move away from attacking larger organisations that present more complex defence mechanisms and instead target SMEs that are often unable to invest in high levels of IT security or risk management and are more susceptible to automated, lower-cost threats, such as phishing and ransomware,” he said.
Mandatory notification is expected to produce a maturing cyber-insurance market, as has been the case in the US.
“Cyber insurance is designed to complement strong internal security practices to ensure that a business will stay afloat to cover the costs of a cyber event,” Mr Richardson said.
“When assessing risk, underwriters will require information on the security practices currently in place and will look favourably on those taking an active approach to security across all levels of the business.”