Cyber security needs to shift from the IT desk to the boardroom – QBE

by |
The new mandatory reporting legislation for data breaches will transform Australia’s business landscape as it brings cyber security from the IT department to the boardroom, according to a recently released whitepaper.

The QBE whitepaper, titled “Out of the shadows: data breach mandatory reporting and cyber insurance,” said companies nationwide should implement stringent data management and cyber security measures to avoid the risk of compliance, financial, and reputational ramifications.

The new legislation, passed in the Senate in February, requires companies with a turnover of more than $3 million, health service providers, credit reporting bodies, credit providers, and tax file number recipients, to mandatorily report any data breaches to both the privacy regulator and affected customers.

QBE cyber insurance expert Ben Richardson said the new legislation underlines the need to further enhance and review data management and cyber security practices within the company’s overall risk management framework to ensure they remain fit for purpose.

“It means, certainly as far as ASX-listed companies go, that if the data breach is serious enough to affect the share price or a specific class of individuals, like employees, then legal and regulatory action against directors and officers will move into scope,” Richardson said.

“This clearly illustrates the need for cyber security to shift from the IT desk to the boardroom.

“In future, company boards will need to ensure they are well across their organisation’s security practices and encourage a strong security culture to avoid being placed in the firing line.”

Richardson also urged small and medium businesses to be just as vigilant when it comes to cyber security - a sentiment shared by Prime Minister Malcolm Turnbull in his foreword to the ASX 100 Cyber Health Check report.

“We’re starting to see criminals move away from attacking larger organisations that present more complex defence mechanisms and instead target SMEs who are often unable to invest in high levels of IT security or risk management and are more susceptible to automated, lower cost threats, such as phishing and ransomware,” Richardson said.

He added that the introduction of mandatory notification would put cyber insurance, a relatively new product in Australia, on the radar for businesses of all sizes.

Related stories:
Massive cyber attack a wake-up call
Fitch warns of financial services cyber risk

Corporate Risk & Insurance forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Name (required)
Comment (required)
By submitting, I agree to the Terms & Conditions