Australia: Cyber Risk Now in Top 5 Organisational Risks

Greater awareness of privacy and data protection does not necessarily translate into action, as shown by MinterEllison's fourth annual Perspectives on Cyber Risk report.

Greater awareness of privacy and data protection does not necessarily translate into action, as shown by MinterEllison's fourth annual Perspectives on Cyber Risk report.

2018 ushered in more stringent privacy and data protection laws along with harsher penalties. New incoming regulation including Australia's Notifiable Data Breach and consumer data right regimes, as well as the European Union's General Data Protection Regulation, brought Australia closer in line with emerging international standards.

Against this evolving data protection and privacy landscape, MinterEllison conducted its fourth annual cyber security survey to assess how Australian organisations are responding to cyber risk. More than 110 senior executives across legal, technology, finance and procurement participated in the survey.

"What we can see from this year's results is a continuing disconnect between organisations’ understanding of cyber risk and the practical steps they are taking to mitigate against it," says Paul Kallenbach, MinterEllison Technology and Digital Partner and Head of its Cyber Security practice.

Organisations continue to improve their understanding of cyber risk. In 2018, 34% of respondents identified themselves as having a ‘very good’ understanding of their cyber risk exposure, compared with only 18% in 2017.

More than half of respondents reported that cyber risk now ranks in the top five risks on their enterprise risk register – a significant increase from our initial survey in 2015, when only 29% of respondents gave cyber risk this ranking. Furthermore, 78% of respondent organisations said that they have a data breach response plan in place, an increase from 54% in 2017.

Despite this growth, only 45% of survey respondents reported that they regularly (at least annually) test their data breach response plan.

"Importantly, for company directors seeking to comply with their responsibilities in relation to cyber security, ASIC encourages an assessment of their company’s cyber security threats and vulnerabilities to understand what, where and how data is held," noted Mr Kallenbach.

"Insufficient or inadequate action to address cyber risk is a worrying trend that we've seen in our report since its inception in 2015. This is despite a more stringent regulatory landscape in both Australia and overseas, and recent high profile examples, such as PageUp, of the damage that a serious cyber incident can cause."

The survey results also show that, of those organisations who plan to implement AI or big data solutions, only a third have undertaken a privacy impact assessment or security risk assessment of those solutions.

"At a time when the law cannot keep up with the pace of technological change, it is incumbent on organisations to develop their own set of baseline privacy and data protection rules, and test them regularly," said Mr Kallenbach.

"To ensure they meet Australia's privacy and data protection laws, and avoid penalties and other legal sanctions, boards and directors need a thorough understanding of the privacy and security impact of new technologies; but they also need to translate this understanding into appropriate and considered action. Closing this gap will be an increasingly important aspect of an organisation's cyber risk profile."

Key lessons for directors include the need to regularly review, test and update data breach response plans; implementing employee training and awareness at all levels; conducting regular risk assessments on bring-your-own-device (BYOD), remote access and the use of third party services (including cloud services); and considering how a ‘privacy positive’ approach could be used as a differentiator.

Read MinterEllison's Perspectives on Cyber Risk report here.