Publication – Dec 4, 2020

news & insights

NEED TO KNOW.

We recommend that consideration is given to urgently reviewing your current insurance arrangements as it is essential that cover is updated in conjunction with changes in risk profile.

Dec 4 2020

Cybersecurity in the post Covid workplace – stress testing your defences

Who should read this?

  • Business Owners, CEO’s, CFO’s, CIO’s, CISO’s, Executive Managers, Insurance and Risk Managers.

Things you need to know

  • Cybersecurity must be addressed in the same way as any other business risk to protect critical processes and functions and to ensure business continuity.
  • A robust cybersecurity framework should be supported by a carefully selected policy of cyberinsurance.
  • Stress testing your cybersecurity framework is essential to ensure that your response plans will work in a crisis.

What you need to do

  • Act now to review your cybersecurity framework and cyberinsurance policy.

The emergence of the Covid pandemic in early 2020 has had a profound effect on the way we work and that effect looks set to continue with more businesses allowing staff greater flexibility to work outside of the traditional workplace.

This has given rise to a range of Cybersecurity issues that all modern businesses going down that path must address in order to remain successful and build customer trust in the digital age.

Now, more than ever, businesses will need to focus on cybersecurity and cyber risk transfer, and do it well.

This series of articles and the webinar that will follow does not urge overreaction to these issues, nor does it predict doom and destruction for those businesses who are yet to fully address the changes that Covid has wrought. Instead, we will carefully examine a number of ways you can minimise this risk, including what should be incorporated into a cybersecurity framework, how the elements of that framework help to mitigate and respond to data breach incidents and how to select a complementary policy of cyberinsurance.

Essential elements to minimise cybersecurity risk
Cybersecurity must be addressed in the same way as any other business risk. In order to protect critical processes and functions and to ensure business continuity, organisations need to have a robust business response to cybersecurity, including:

  • A response team of internal and external resources who possess skills in a range of disciplines including IT, cybersecurity, legal and PR/communications;
  • A tailored cybersecurity framework designed for the organisation which protects critical business processes and assets from cyber attack;
  • An effective and carefully selected policy of cyberinsurance which acts as a risk transfer device that funds the cost of implementing key elements of the cybersecurity framework when necessary; and
  • A system of regular testing and evaluation of cybersecurity procedures and plans because the capacity to effectively execute the plan in a crisis is critical to maintaining business continuity.

Designing an effective Cybersecurity Framework
As mentioned above, a tailored cybersecurity framework is necessary to protect critical business processes and assets from cyber attack. Failing to have an effective cybersecurity framework could lead to delays and increased costs in responding to a data breach as well as a greater risk of claims or regulatory action.

Some of the key elements of an effective cyber and privacy risk management framework are:

  • Data mapping: It is essential that you understand where your data assets are in your organisation, where your data flows and who has access to your data (both internal and external to your organisation). Undertaking an audit and mapping of your data is essential to understanding your own cyber risk perimeter.
  • Data breach response plan: This one is particularly important – you need to plan ahead and have a robust and carefully considered plan to respond to data breaches as soon as they happen and test the plan regularly. At a minimum, the plan ought to cover:
    • what constitutes a data breach in the context of your organisation;
    • your crisis management team and when and how they are to be mobilised;
    • your response protocols, processes and escalation paths to enable rapid containment and remediation of the data breach;
    • who ought to be notified of the data breach, and when and how notifications are to be made;
    • your communications and PR strategy, including engagement with stakeholders; and
    • any changes to future business operations that may be required.
  • Policies, practices and procedures: Your organisation should also have robust policies, practices and procedures in place designed to protect your data (including data about your customers). These should include having:
    • a governance body, including privacy officer;
    • regular reporting to the Board on cyber risk issues;
    • an external privacy policy which meets the Australian Privacy Principles (APPs), is easy to find and clearly and simply describes what your organisation does with customer information, why it uses that information and the options open to your customers regarding how their information is used;
    • privacy collection notices and consents in application forms and other organisational materials;
    • processes for the handling of information access and correction requests by individuals;
    • processes for receiving and responding to complaints and enquiries;
    • making use of de-identified data sets where appropriate;
    • records management processes, including with respect to data retention and destruction practices;
    • programs for undertaking threat assessments where there are heightened data sensitivity risks, and privacy impact assessments (PIAs) for new projects or changes in business information handling practices; and
    • disaster recovery/business continuity plans which dovetail seamlessly with your data breach response plan.
  • Staff training: Policies, practices and procedures are only useful if they are widely known within your organisation and they are followed. It is important that there is regular and bespoke training to staff on your cyber and privacy risk management framework, the application of the APPs to your organisation’s handling of personal information, and the internal compliance practices, procedures, policies and systems that are in place. This training is critical now given remote working is the new norm in many workplaces. In particular, secure devices need to be deployed to employees accessing systems remotely (employee-owned devices generally lack adequate protection) and employee devices connected to the system should be tracked and able to be disconnected from the system when necessary.
  • Supplier agreements: It is also essential that your supplier arrangements include security measures with respect to any data your supplier is handling on your behalf, and that your agreements with those suppliers have up to date data breach containment, remediation and notification clauses.

How we can help you

Allegiant IRS can provide comprehensive cyberinsurance policy checks and analysis to ensure your cover is adequate and to assist you to navigate through the specialised cyberinsurance market. Our legal partners, McCullough Robertson, regularly assists clients to design and implement all aspects of a robust cybersecurity framework including assisting to train your teams on how to successfully implement its response plan in a crisis.

For further information on any of the issues raised in this alert please contact one of our team below.

KEY CONTACTS

Matthew McMillan

T +61 2 8241 5644     E mmcmillan@mccullough.com.au

Stephen White

T+61 7 3233 8785     E stephenwhite@mccullough.com.au

Brad Russell

T+61 7 3102 5666     E brussell@mcullough.com.au

Jake Grant

T+61 7 3233 8663    E jgrant@mccullough.com.au

Kym Steer

T+61 7 3914 8305     E kym.steer@allegiantirs.com.au