The increased risks posed by cybersecurity breaches has meant that many organisation are looking to insurance to address some of the exposure. But cybersecurity insurance is still new and there are things which companies wishing to purchase cybersecurity insurance should look out for. Here are five tips if you are considering obtaining or renewing a cybersecurity insurance policy.
By Jim Bulling
It seems clear following the release in March this year of ASIC Report 429 Cyber Resilience, that all Australian Financial Services Licensees and superannuation funds are currently required to include in their risk management framework measures aimed at addressing the risks posed by cybersecurity breaches.
In addressing the risks ASIC recommends that the U.S. National Institute for Standards and Technology (NIST) framework is a relevant risk management tool. The NIST standards set out the key objectives of an appropriate risk framework:
- identify the critical assets and governance processes
- protect critical assets
- detect breaches and incidents
- responses to breaches and incidents
- recovery and reinstatement of systems.
You can download a copy of the framework here
These objectives will need to be merged into the existing financial services policy frameworks which financial services entities already have in place.
By Jim Bulling
Insurers in the U.S. and Europe are forecasting that the market for cyber insurance will grow exponentially in the next five years as more companies look to beef up protection against malicious cyber attacks.
While the insurers see a significant new market emerging, there are signs that they are wary of the risks and this is impacting on premiums and the limitations being placed on cover. There are a number of insurers offering cyber cover in the Australian market and companies looking for additional protection would be well served by closely examining the terms of the proposed cover to ensure it extends to the more significant cyber risks and does so in a way that complements rather than overlaps the existing insurance program which an organisation has in place (eg Public Indemnity , Directors and Officers Liability, Crime and Property).
It is also worth noting that insurance should only be seen as one component of an organisation’s risk management processes around cybersecurity. A leading insurance broker has suggested that investment in technology is the most important factor in reducing the risk profile while the contribution from insurance is much more modest and to be effective needs to be accompanied by investment in technology.
From 13 October 2015, telecommunications service providers that use communications infrastructure in Australia to provide any of their services may be required to retain and secure certain data for two years. The new obligations under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) apply to licensed carriers, carriage service providers and internet service providers. However, some services are specifically excluded including, for example, broadcasting services. The data retention obligations will apply regardless of the size of the company and/or its customer base.
Broadly, the type of data that must be retained includes:
- the source and destination of a communication
- the date, time and duration of a communication
- communication type
- location of communications equipment.
By Jim Bulling
Research in Australia and overseas suggests that most cyber breaches can either be prevented or the impact of any attack can be significantly limited by a range of low cost and easy to implement measures. These include the following:
- Username and password standards should be sophisticated.
- Administrative and privileged access should be controlled.
- Undesirable applications should removed.
- Automated patching tools and processes should be used.
- Data should be backed up regularly.
- Access to mobile devices should require authentication and data should be encrypted.
- Anti virus software and filters should be used.
Research released by the Australian Defence Signals Directorate (DSD) indicates that at least 85% of the cyber intrusions that the DSD has responded to would have been mitigated had organisations implemented the above strategies.
The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”
The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.
The European Court of Justice’s press release can be found here.
To read the full judgment of the European Court of Justice click here.
K&L Gates partner, Cameron Abbott will feature as part of panel of professionals active in the Cyber industry at an American Chamber of Commerce (AMCHAM) luncheon on Wednesday 28 October 2015.
The panel will discuss developments in the world of cyber security, the intent of the mandatory data-breach scheme and the far reaching impact that cyber security breaches can have on a business’s reputation and value.
The session will be moderated by Dr Tobias Feakin, Senior Analyst and Director, International Cyber Policy Centre.
For full details of the event and to register click here
According to recent research conducted on behalf of cybersecurity firm Clearswift, finance and HR departments represent the biggest cybersecurity threat to organisations. The study polled more than 4500 information technology decision makers, security professionals and employees in the US, UK, Germany and Australia and found that 46% of respondents believed that finance departments posed a security threat to their organisation. In addition, 42% of respondents believed the same of an organisation’s HR departments.
On 19 August 2015 the group known as ‘The Impact Team’, who a month earlier hacked into online affair website Ashley Madison, made good on its threat and released a “data dump” of Ashley Madison users’ personal information. A second and larger release of stolen data occurred 2 days later and appears to have included emails sent by Noel Biderman, Ashley Madison’s founder and CEO of parent company Avid Life Media.
Following the release of the stolen data, acting Australian Information Commissioner, Timothy Pilgrim, announced the launch of an investigation into the breach which is to be conducted in liaison with the Office of the Privacy Commissioner of Canada (where Avid Life Media is based). On 28 August 2015 Noel Biderman stepped down from his role as CEO of Avid Life Media.
Read the ABC news’ article in relation to the first data release here.
ABC news’ article relating to second data release can be found here.
The Office of the Australian Information Commissioner’s press release relating to its investigation can be found here.
By Cameron Abbott and Melanie Long
On 29 July 2015, ACSC released its first unclassified ‘Threat Report’ (Report). The Report highlights the increasing number, type and sophistication of cyber security threats in Australia, and is a timely reminder to organisations to re-assess the level of their cyber security.
The key takeaway messages from the Report include:
- even organisations that may not think that they hold valuable information, or that they would be of interest to cyber adversaries, could be a target for malicious cyber activities
- ensuring a resilient, cyber-secure Australia requires coordination between government and the private sector, with organisations and their users taking greater responsibility for the security of their networks and information.