Regulators will prosecute more firms for cyber security failures
In May, the Federal Court found that RI Advice breached its AFS license obligations by failing to have adequate risk management systems to manage its cybersecurity risks.
Read next: Marsh debunks cyber insurance misconceptions
In one incident involving the financial advice firm the Court said a “malicious agent” obtained unauthorised access to a file server for nearly six months before being detected. The breach resulted in the possible compromise of the sensitive and personal information of several thousand clients and other persons.
RI Advice was ordered to pay $750,000 towards ASIC’s costs and take adequate cyber security measures.
The ASIC media release about the judgement said “Her Honour Justice Rofe made clear that cybersecurity should be front of mind for all licensees,” and that “the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct.”
Sydney-based Pausey said he was “not surprised at all” by this prosecution.
“ASIC is responsible for ensuring compliance with the Corporations Act and other related legislation,” he said. “It was clear when the OAIC was established it would have an initial period of an educational focus and then move towards compliance.”
The OAIC is an independent federal government agency and was launched in 2010 as part of a major reform of federal freedom of information (FOI) law. The OAIC combines in one agency the functions of information policy advice, independent oversight of privacy protection and FOI access.
In years past, companies could buy a cyber insurance product and, by doing relatively little themselves, expect coverage if something happened. Pausey agreed that those days are over.
“Cyber insurance has certainly transformed from a product that was hard to sell to now being hard for insureds to buy,” he said.
Pausey said that any organisation buying cyber insurance will be underwritten on the basis of the risk management processes they have implemented.
“The cyber risk landscape is everchanging and it is vital to be abreast of the latest challenges,” he said. “Threat actors are becoming more sophisticated in their methodology.”
Pausey said Emergence “continually updates its underwriting requirements and policies to ensure clients get the protection they need.”
He said a key to having a great security posture is a cyber risk compliant culture driven from the top down at board and senior executive level.
“People continue to be businesses’ biggest weakness,” said Trent Nihill (pictured below), head of corporate for Emergence. “We’ve seen instances where multi-factor authorisation has been easily defeated through employees verifying access attempts when it wasn’t them or providing the verification code to threat actors directly.”
He described that as the equivalent of installing the best lock in the world, only to open the door when the burglar asks.
“While employees are still the weak link, they can also be your greatest asset in preventing cyberattacks,” he said.
Nihill said effective cyber awareness training is crucial for all businesses to create multiple safety nets. “There is no silver bullet for cyber risk management,” he said.
Read next: What’s driving up cyber insurance premiums in Australia?
He listed his firm’s minimum cyber risk controls required to obtain its Cyber Enterprise cover for large corporates with revenues of more than $250 million. These controls include: multi-factor authentication for remote access; strong patch management and privilege access management; regular penetration tests and network segmentation to create barriers that make it harder for threat actors to enter.
Nihill said these controls are informed by the Australian Cyber Security Centre’s (ACSC) Essential Eight prioritized mitigation strategies designed to protect Microsoft Windows-based internet-connected networks.
“We encourage all clients to implement the Essential Eight,” he said. “Doing so would likely have prevented 80%-90% of the cyber incidents we see.”
Nihill said Emergence also recommends employee awareness training and using a good endpoint detection and response tool.
Pausey encouraged brokers to understand their clients’ cyber risks.
“We understand brokers have to advise their clients on a myriad of risks, but cyber is now probably the major risk for most businesses,” he said.