‘Boards to be liable for data breaches’

MELBOURNE — Cyber security will be a key area of mainstream risk for corporate Australia and government in 2016, according to Perspectives On Cyber Risk, a report released by lawyers MinterEllison.
Partner Paul Kallenbach, a specialist in cyber security and data protection, signals that the increasing focus on cyber security, including the expected introduction of mandatory data breach legislation in Australia in 2016, will
increase the potential for Board members to incur personal liability as a result of a data breach.

"According to our survey findings, 40% of CIO respondents said their organisation experienced at least one cyber attack in 2015 that compromised their systems or data. This highlights the regularity with which organisations, large and small and from a broad range of industries, are having to deal with this risk," Kallenbach says.
"Because every attack has the potential to cause significant reputational damage, both for individuals and organisations, it has never been more important for all levels of an
organisation to turn their attention to cyber risk and how their organisation might be vulnerable."
Kallenbach says
cyber risk must be firmly on the Board agenda, noting in particular that among Board respondents to the survey, 60% perceived cyber risk as being more of a risk than it was 12 months ago.
"Cyber security is a vital area for Boards and senior management in both the private and public sectors, and it should be factored into key business and operational decisions. 2015 was the year in which cyber risk became front and centre for the business world," he says.
A notable finding of the MinterEllison Cyber Risk Report was the significant number of
respondents (27%) reporting that their organisation did not have a data breach response plan in place. The report also found that cyber insurance has not yet been widely embraced.
Only 25% of respondents confirmed their
organisation held specialist cyber risk insurance. A further 32% were unsure of whether cyber risk was addressed in their existing
insurance arrangements.
"Cyber security is now in the mainstream and so, like human resources and other similar corporate-wide risk areas, organisations should train all staff in cyber security measures, and give individuals an opportunity to report
areas of potential cyber vulnerability," Kallenbach said.