Cyber risk needs to be at the forefront of business agenda

Australia’s business landscape will be transformed under new mandatory reporting legislation for data breaches which will take cyber security from the IT department to the boardroom, according to a white paper released by QBE Insurance.

QBE cyber insurance expert, Ben Richardson, said the new legislation emphasises the need for data management and cyber security practices to be escalated and reviewed within a company’s overall risk management framework to ensure that they are fit for purpose.

“It means, certainly as far as ASX-listed companies go, that if the data breach is serious enough to affect the share price or a specific class of individuals, like employees, then legal and regulatory action against directors and officers will move into scope,” Richardson said.

“This clearly illustrates the need for cyber security to shift from the IT desk to the boardroom. “In future, company boards will need to ensure they are well across their organisation’s security practices and encourage a strong security culture to avoid being placed in the firing line.”

Global consultancy firm PwC has also called for cybersecurity measures to be business-aligned and owned, and for CEOs and boards to be held accountable for issues. In a recent report of the realities of Cybersecurity and its associated risks, PwC has called for greater consideration of the magnitude of cyber-risks and better strategies to bring the issues to the forefront of business agenda.

The report states: “Today, cyber-risks are a clear and present threat to the global business ecosystem…however many CEOs (chief executive officers) and boards have not yet to truly appreciate the seriousness and magnitude of this critical businesses issue.”

While business’ remained fully dependent on technology, the report said safeguarding of valuable data was no longer possible, and businesses would do better to spread awareness throughout the organisation and not rely on an IT or technology team to combat risks.

“Company leaders and boards can no longer afford to view cyber-risk as a technology problem.”

“Traditional boundaries have shifted; with company and personal digital footprint and audit trails leaving a mass of data open to theft and exploitation.”

While cyber-risks had previously been solely attributed to hackers and terrorists, the report said other nation states, organised crime units and even employees were threats to all banks and businesses within the finance space.

“Numerous attack groups are backed by limitless resources…attack groups are able to devote highly talented individuals who are experts in technology, businesses process, and espionage tactics,” the report said.

“Attackers are constantly evolving their capability to exploit vulnerabilities inherent in the global business ecosystem.”