This article was written by Patrick Gunning.
The results of our recent Directions survey confirm the anecdotal evidence that cyber-resilience was a hot topic for many directors and Boards in Australia in 2015 and is continuing in to 2016. ASIC produced a “Cyber resilience: health check” publication in March 2015, which helped guide thinking in the domestic market. As part of a director’s duty of care and diligence, directors need to assess and address the risk of damage to the company from external cyber-attacks and internal unauthorised access to or disclosure of company data. They should do so on the basis that no company is immune from such risks, although the likelihood of the risk eventuating and the degree of resulting damage varies substantially from company to company.
Notably, 83% of our survey respondents considered that their Boards should devote more time and attention to understanding and managing IT and cyber risks. This was consistent with the finding that 74% of our survey respondents considered that their organisation(s) needed to do more to be cyber-resilient and 65.3% of our survey respondents regarded cybersecurity and related data protection laws as one of the legal and regulatory issues that caused them the greatest concern in 2015. Despite the limited time spent by Boards on understanding and managing IT and cyber risks, 72% of survey respondents felt that they understood the most valuable data held by their organisation(s) and where and how that data is used and stored. That knowledge is clearly critical (although not sufficient) to appropriately manage IT and cyber risks.
It is interesting to compare the high degrees of attention and concern shown by survey respondents in relation to understanding and managing IT / cyber risks, with the actual experiences of cybersecurity breaches. Only 15% of our survey respondents reported that a cybersecurity breach had been brought to the attention of the Boards on which they sit during 2015. Just over half (51%) of those breaches were reported to a regulator or customers. 87% of the breaches did not damage the organisation’s reputation or cause the organisation to incur material costs.
In our view, the level of concern reflects the fact that cybersecurity breaches could be very serious, although many, or even most, affect a small number of customers or involve anodyne information.
The Federal Government has stated that it will introduce legislation to require reporting of data security breaches involving a serious risk of harm to individuals. The exposure draft legislation requires reporting to both the Privacy Commissioner and to affected individuals (which is quite different from breach reporting regimes that apply in the financial services sector where the requirement is only to report the breach to the relevant regulator). We expect this new regime will lead to higher levels of breach reporting than the 51% identified by our survey respondents this year. Given the likelihood of a federal election in mid-2016, it is not clear whether legislation will be enacted before the election. However, mandatory data breach reporting is a policy supported by the opposition political party, so we believe it is a matter of time before laws of this kind are introduced in Australia. It remains to be seen whether plaintiff lawyers in Australia will follow the North American trend of filing class actions shortly after organisations notify individuals of data security breaches.
The financial impact of a data security breach can be difficult to quantify. The following table showing the stock price impact of the news of data breaches experienced by various US corporations during 2013 and 2014 provides food for thought:
(source: NERA Economic Consulting study, 2014)
What this information does not show is the expenses incurred – both first party and to pay third parties seeking compensation – by the affected companies. Target Corp, whose breach is notorious, has been making separate disclosures of the cost of the breach in their quarterly financial reports. In their March 2016 filing, Target stated “since the data breach we have incurred $291 million of cumulative expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $201 million”.
Clearly, most breaches will not be on that scale. Various studies attempt to quantify the cost of data security breaches. One of the more sophisticated analyses we have seen is in Verizon’s 2015 Data Breach Investigations Report. They explain how the cost per record is non-linear and there can be a significant range depending on the type of data whose security has been compromised. Their findings are below:
Many clients have told us that cyber risks are in their top 3-5 risks. This has inevitably led to discussions with insurers about the availability of specialty cyber cover. Given the relatively limited experience of claims (at least compared to most other insured risks), the market for cyber insurance coverage is still emerging. We have advised a number of clients who have been seeking to obtain specialty cyber coverage.