Time running out to prepare for major cyber legislation

by |
Businesses are still unprepared for the launch of mandatory breach notification early next year, an expert has said.

Dougal Hawkes, founder and CEO of cyber risk assessment firm Augmentor, said that businesses are still “some way off” where they need to be with February fast approaching.

“A lot of people I talk to are not even aware of it so there is an element of needing to raise that awareness,” Hawkes told Insurance Business. “February 22 is not very far away and if you are not talking about this with your clients now, then there is an issue.”

The mandatory breach legislation, which was unveiled earlier this year, will mean that all businesses and government agencies governed by the Privacy Act and those with a turnover of more than $3 million a year will be made to notify the privacy commissioner and affected customers as soon as they become aware of a cyber breach.

Similar legislation is already commonplace in the US and has led to an uptick in the take-up of cyber insurance. Firms that fail to comply with the Australian legislation could face penalties of $360,000 for individuals and $1.8 million for organisations.

Hawkes said that brokers have an important role to play for those businesses that will fall under the remit of mandatory breach legislation, and warned that client awareness needs to be at the forefront.

“From a broker’s perspective, it is educating their clients,” Hawkes continued. “It is going to be really important that people are aware [of mandatory breach legislation], of their obligations and what they need to do with reporting it to the commissioner.”

With headlines across the globe dominated by cyberattacks throughout 2017, Hawkes said that it is important to translate attacks against larger businesses to small business clients. The recent hack of global credit reporting agency Equifax, for example, and the subsequent fall-out which saw its CEO retire, offers brokers an opportunity to highlight the importance of a cyber breach response plans to their clients, regardless of size.

“There is a lot of press in the market but it is the high end and I think how that then translates to the SME and lower end of the market is a bit lacking,” Hawkes continued. “For me, size is not really important.

“If you take, for example, the lower end of town, dentists, doctors or any small business, what is key for them is their customers and customer data. It would be catastrophic for an SMB to lose it on a scale equivalent to that Equifax breach.”


Related stories:
‘Silent’ risk could damage insurers
Australian government to invest $50m for cyber security

Corporate Risk & Insurance forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Name (required)
Comment (required)
By submitting, I agree to the Terms & Conditions