Read Time:2 Minute, 57 Second
A cyber insurance underwriting firm is warning that a recent, Australia-first court case is the start of additional prosecutions against businesses, including insurers, that do not put adequate security measures in place to prevent cyberattacks.
“Regardless of whether an organisation is a victim of criminal activity like ransomware assault, there will be additional prosecutions, particularly by the Office of the Australian Information Commissioner (OAIC),” Emergence Insurance’s Chief Operating Officer Colin Pausey said.
In May, the Federal Court ruled that RI Advice, a financial advice provider, had breached its AFS license obligations by failing to establish sufficient risk management systems to address its cybersecurity threats.
In one instance, the financial advice business was accused of allowing a “malicious agent” to illegally access a file server for almost six months before being discovered. The theft resulted in the possible exposure of several thousand clients and other people to sensitive and personal information.
The Court ordered RI Advice to pay $750,000 towards ASIC’s costs and take steps to improve its cyber security.
According to the ASIC media release, “Her Honour Justice Rofe made it abundantly clear that cybersecurity should always be at the forefront of every licensee’s mind” and that “.the declarations ordered in this case are meant to serve as a record of the Court’s disapproval of such conduct and dissuade other Australian Financial Services licensees from engaging in similar behaviour.”
Sydney-based Pausey said this prosecution does not come as a shock.
He stated, “ASIC is responsible for ensuring compliance with the Corporations Act and other related legislation.” Furthermore, it was evident to him that when the OAIC was established, it would first go through a phase of educating people before moving on to enforcing compliance.
“There is no question that the OAIC will launch more prosecutions,” Pausey said.
“We are seeing an uptick in the number of clients who are now specifically requesting cover for regulatory investigations and actions,” Pausey said.
“Firms realise that they need to do more to protect themselves, not just from cybercrime but also from the possibility of being on the receiving end of an investigation.”
He added that this ruling is a timely reminder for organisations to revisit their risk management processes and ensure they have adequate cyber insurance.
“This case highlights the importance of comprehensive cyber insurance, not just for the costs of responding to an attack but also for the potential cost of defending any resulting regulatory action,” Pausey said.
“Given that the cyber risk landscape evolves rapidly, it’s critical to stay up-to-date on the latest challenges,” he said. “Nowadays, threat actors are more sophisticated in their methods.”
He said a confident security posture would be aided by a cyber risk-compliant culture driven from the top down at the board and senior executive level.
“People are still businesses’ number one weakness,” said Trent Nihill, head of corporate for Emergence. “We’ve seen instances where multi-factor authentication has been easily defeated by employees verifying access attempts when it wasn’t them or providing the verification code to threat actors directly.”
Purchasing cyber insurance coverage is no longer enough to protect a business in case of a data breach or cyberattack. To be fully protected, companies need robust security measures and processes to deter, detect and respond to threats. Furthermore, businesses must create a culture of cybersecurity compliance that starts at the top and permeates the entire organisation. Only then can companies hope to minimise their cyber risks and avoid the costly consequences of a data breach or attack.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
