There are many reasons to manage cyber security risk. So, if you’re wondering whether to make enhancing cyber
security a priority for your business, here are four things to consider.
4 reasons to manage cyber security risk:
1. Regulatory Enforcement:
Last week the Australian Prudential and Regulation Authority (APRA) increased Medibank Private’s capital adequacy requirement by $250 million following their cyberattack in October 2022.
Why? To encourage Medibank to implement its IT security improvements faster.
In case you missed it, Medibank Private’s cyberattack was one of Australia’s most significant data breaches ever. Here’s a quick overview of the cyber event:
- 11 October 2022, a criminal accessed Medibank’s IT systems using a stolen Medibank username and password of a third-party IT provider.
- A misconfigured firewall provided access to more usernames, passwords and Medibank systems without containment.
- Medibank successfully closed the criminal’s access by 12 October 2022.
- Medibank implemented cyber security improvements.
- Class action lawsuits commence against Medibank.
- Deloitte investigates the cyberattack.
- Deloitte recommends enhancements to IT processes and systems.
- Medibank continues to implement improvements.
- July 2023 Regulators increase Medibank’s capital adequacy requirements until all remedial work is complete.
Regulators such as the Australian Securities and Investments Commission (ASIC) can also strongly recommend that you have an IT strategy and response plan in place if it’s in the best interests of consumers.
Criminals target businesses of all sizes, so it’s no surprise that small, medium and large companies across Australia fall victim to cybercrime.
2. Cybercrime Statistics & Costs
With the average cost per cybercrime in the region of:
- $39,555 for small businesses
- $88,407 for medium businesses, and
- $62,233 for large businesses.
Developing an action plan to safeguard your business from cybercrime makes sense.
The ACSC website has resources
to help businesses mitigate cybersecurity incidents, including the Essential Eight
. The Essential Eight are the most effective mitigation strategies for Microsoft Windows-based internet-connected networks, according to the ACSC.
3. Reputational Risk
A cyberattack can reach beyond the walls of a company, affecting customers, suppliers and more. More importantly, it may erode the trust in your business and its processes which may take time to regain.
4. Legal Risk
A cyberattack puts companies at risk of legal action. For example, a customer or supplier may suffer a financial loss due to a data security breach and take legal action against your company.
Taking steps to mitigate the risk of cybercrime may reduce the impact on customers and suppliers sooner rather than later.
Mitigation may include annual cyber training for all staff, regular device updates, back-ups and password changes, and multi-factor identification.
For a business working with a third-party IT service provider, an in-house IT team or self-managed, it’s prudent to develop an IT strategy. The strategy may include an assessment of the risks and a clear action plan to manage security, back-ups, system updates, training, reporting and how to respond to a data breach.
Transferring cyber risk to insurance
helps businesses identify, understand, and manage business risks, including cyber security risks. Our risk and insurance review
assesses your risk exposure and recommends the most appropriate ways to transfer risk to insurance.
Importantly, we can direct you to effective cyber training programs to help minimise the risk of a cyber event impacting your business.