As the financial year comes to an end, businesses, especially in trust sector industries including health services, financial services, education and legal services must evaluate their current cyber security strategies.
The trust sector serves as a bedrock of sensitive personal data and organisations operating within it inherently require a greater cyber security sophistication to protect that information from threat actors attempting to access it. With the frequency of attacks on the rise, robust cyber security and strict compliance measures are essential for maintaining trust and operational integrity.
In this article we look at the implications of a breach, the changing regulatory landscape and why adopting and aligning to a recognised cyber security framework can help.
Current Environment
Cybersecurity is a critical concern in the trust sector due to the sensitive nature of the information managed. Data breaches, ransomware, and phishing attacks are frequent and Australian SMEs are viewed as easy targets. Health services, financial services, and education organisations are among the most highly targeted sectors. Globally, there are approximately 560,000 new pieces of malware detected daily, making it a question of IF, not WHEN an attack will occur. The Australian regulatory environment is evolving with a greater emphasis on cyber security measures.
Implications of a Breach
Costs from a breach can add up quickly:
- Operational Disruption and Downtime: How long can you afford not to be able to access customer information, answer queries, or pay staff and suppliers? It can take weeks to restore systems following a data breach or ransomware attack.
- Financial Strain: the costs of a breach can add up quickly and include, paying a ransom and a negotiators fee, the cost to investigate the source of the breach and ensure any virus or ransomware is removed from all systems, any legal counsel costs, PR costs, regulatory fines.
- Reputational Damage: How likely are your existing customers to stay with you if their personal information was stolen? Would it become increasingly difficult to acquire new customers or win new tenders?
The Changing Regulatory Environment
Increased Privacy Act Penalties
Under the Privacy Act, an entity must take reasonable steps to protect the personal information that it holds. Personal information includes not only that of customers but also staff, including addresses, contact details and bank details. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from a $2.22 million penalty to whichever is the greater of:
- $50 million
- three times the value of any benefit obtained through the misuse of information
- 30% of a company’s adjusted turnover in the relevant period.
Cyber Risk Management now a Directors Duty
ASIC declared cyber security a top priority in 2022, advising they will be cracking down on companies, Chief Executive Officers (CEOs) and directors regarding cyber security compliance and preparedness.
ASIC considers it a directors’ duty to ensure ‘good cyber risk management’ is in place, otherwise they run the risk of failing to adhere to their duty to act with care and diligence and are exposing themselves to the (potential) risk of enforcement action by ASIC. This means that CEOs and directors need to be proactive in ensuring that their company has appropriate measures to protect it from cyber threats.
Critical Infrastructure (SOCI) Act Obligations
The SOCI Act aims to ensure critical infrastructure assets and services across eleven sectors are protected and resilient to disruptions that would severely impact Australia’s society, economy, and security.
Non-compliance with SOCI Act can result in legal proceedings, significant penalties and reputational damage. Sectors include financial services, healthcare and higher education and research. Other non-trust sectors included in the act are communications, data storage & processing, defence, energy, food & grocery, space technology, transport & water and sewage.
Minimum Cyber Security standards for Victorian Legal services
Victorian Legal firms also have cyber security obligations to the VIC legal board who have published their minimum cyber security expectations. These expectations also layout conduct capable of resulting in misconduct.
Premier Tech can help
To mitigate the growing risk of a cyber security attack and meet regulatory, industry and insurance obligations we recommend adopting and aligning to a recognised cyber security framework.
What’s a cyber security framework?
Cyber security frameworks are multi-faceted and cover a number of different standards that work collectively to safeguard your IT systems, networks, and critical infrastructure.
Choosing and aligning to a cyber security framework ensures a holistic and consistent organisation wide approach to cyber security. A recognised framework like the Australian Signals Directorate (ASD) Essential Eight, provides a structured and tested method to secure digital assets and mitigate cyber risks.
Are there any other benefits?
Beyond helping to minimise the chances and damage of a breach, adopting a framework can help meet company directors’ legal obligations and regulatory and insurance requirements.
Maintaining alignment to a recognised framework can build trust with clients, partners, and stakeholders and help with a successful insurance claim.
Simply put, adopting and maintaining alignment to a recognised cyber security framework can help you proactively manage cyber risks, safeguard confidential information, and invest in necessary security measures, ultimately contributing to the resilience and longevity of your business.
Where to from here?
If you’d like to understand this further, Premier Tech can arrange a time to assess any existing cyber security vulnerabilities with a risk assessment. From there we can work with you to develop a roadmap to adopt and maintain compliance with a recognised framework.
Contact us today to arrange your cyber security risk assessment.