WHO SHOULD READ THIS
- Business Owners, CEO’s, CFO’s, CIO’s, CISO’s, Executive Managers, Insurance and Risk Managers.
THINGS YOU NEED TO KNOW
- Cybersecurity must be addressed in the same way as any other business risk to protect critical processes and functions and to ensure business continuity.
- A robust cybersecurity framework should be supported by a carefully selected policy of cyberinsurance.
- Stress testing your cybersecurity framework is essential to ensure that your response plans will work in a crisis.
WHAT YOU NEED TO DO
- Act now to review your cybersecurity framework and cyberinsurance policy.
The emergence of the Covid pandemic in early 2020 has had a profound effect on the way we work and that effect looks set to continue with more businesses allowing staff greater flexibility to work outside of the traditional workplace.
This has given rise to a range of Cybersecurity issues that all modern businesses going down that path must address in order to remain successful and build customer trust in the digital age.
Now, more than ever, businesses will need to focus on cybersecurity and cyber risk transfer, and do it well.
This series of articles and the webinar that will follow does not urge overreaction to these issues, nor does it predict doom and destruction for those businesses who are yet to fully address the changes that Covid has wrought. Instead, we will carefully examine a number of ways you can minimise this risk, including what should be incorporated into a cybersecurity framework, how the elements of that framework help to mitigate and respond to data breach incidents and how to select a complementary policy of cyberinsurance.
Essential elements to minimise cybersecurity risk
Cybersecurity must be addressed in the same way as any other business risk. In order to protect critical processes and functions and to ensure business continuity, organisations need to have a robust business response to cybersecurity, including:
- A response team of internal and external resources who possess skills in a range of disciplines including IT, cybersecurity, legal and PR/communications;
- A tailored cybersecurity framework designed for the organisation which protects critical business processes and assets from cyber attack;
- An effective and carefully selected policy of cyberinsurance which acts as a risk transfer device that funds the cost of implementing key elements of the cybersecurity framework when necessary; and
- A system of regular testing and evaluation of cybersecurity procedures and plans because the capacity to effectively execute the plan in a crisis is critical to maintaining business continuity.
Designing an effective Cybersecurity Framework
As mentioned above, a tailored cybersecurity framework is necessary to protect critical business processes and assets from cyber attack. Failing to have an effective cybersecurity framework could lead to delays and increased costs in responding to a data breach as well as a greater risk of claims or regulatory action.
Some of the key elements of an effective cyber and privacy risk management framework are:
- Data mapping: It is essential that you understand where your data assets are in your organisation, where your data flows and who has access to your data (both internal and external to your organisation). Undertaking an audit and mapping of your data is essential to understanding your own cyber risk perimeter.
- Data breach response plan: This one is particularly important – you need to plan ahead and have a robust and carefully considered plan to respond to data breaches as soon as they happen and test the plan regularly. At a minimum, the plan ought to cover:
- what constitutes a data breach in the context of your organisation;
- your crisis management team and when and how they are to be mobilised;
- your response protocols, processes and escalation paths to enable rapid containment and remediation of the data breach;
- who ought to be notified of the data breach, and when and how notifications are to be made;
- your communications and PR strategy, including engagement with stakeholders; and
- any changes to future business operations that may be required.
- Policies, practices and procedures: Your organisation should also have robust policies, practices and procedures in place designed to protect your data (including data about your customers). These should include having:
- a governance body, including privacy officer;
- regular reporting to the Board on cyber risk issues;
- an external privacy policy which meets the Australian Privacy Principles (APPs), is easy to find and clearly and simply describes what your organisation does with customer information, why it uses that information and the options open to your customers regarding how their information is used;
- privacy collection notices and consents in application forms and other organisational materials;
- processes for the handling of information access and correction requests by individuals;
- processes for receiving and responding to complaints and enquiries;
- making use of de-identified data sets where appropriate;
- records management processes, including with respect to data retention and destruction practices;
- programs for undertaking threat assessments where there are heightened data sensitivity risks, and privacy impact assessments (PIAs) for new projects or changes in business information handling practices; and
- disaster recovery/business continuity plans which dovetail seamlessly with your data breach response plan.
- Staff training: Policies, practices and procedures are only useful if they are widely known within your organisation and they are followed. It is important that there is regular and bespoke training to staff on your cyber and privacy risk management framework, the application of the APPs to your organisation’s handling of personal information, and the internal compliance practices, procedures, policies and systems that are in place.
This training is critical now given remote working is the new norm in many workplaces. In particular, secure devices need to be deployed to employees accessing systems remotely (employee-owned devices generally lack adequate protection) and employee devices connected to the system should be tracked and able to be disconnected from the system when necessary.
- Supplier agreements: It is also essential that your supplier arrangements include security measures with respect to any data your supplier is handling on your behalf, and that your agreements with those suppliers have up to date data breach containment, remediation and notification clauses.
Keep an eye out for our next article where we explore the importance of having a comprehensive cyberinsurance policy to complement your Cyber Security Framework.
At the end of this series, we will be hosting a Webinar where we will delve deeper into these topics and address key risks and mitigation strategies. You will also have the opportunity to ask questions to our expert panel. Be sure to register early for the Webinar scheduled for February 2021 via this link.
How we can help you
McCullough Robertson regularly assists clients to design and implement all aspects of a robust cybersecurity framework including assisting to train your teams on how to successfully implement its response plan in a crisis. McCullough Robertson and our insurance advisory service, Allegiant IRS can also provide comprehensive cyberinsurance policy checks and analysis to ensure your cover is adequate and to assist you to navigate through the specialised cyberinsurance market.
For further information on any of the issues raised in this alert please contact one of our team below.