By Dan McCallum, Account Manager Honan Insurance Group
Navigating Risk in a changing world
With the dynamic nature of emerging cyber-crime it is astounding to consider that only 43%1 of Boards are confident their company is properly protected against cyber-attacks, even more alarming, only 11%2 understand how data is shared with third parties.
The mind boggles at the level of exposure not only to companies but Directors and company Executives.
Cyber-crime is the number 1 emerging risk for ASX Board’s and Executives3, companies simply cannot keep pace with the speed at which this threat compromises the sustainability of their organisations.
The significant impact of Cyber Risk has not been lost on the Australian Institute of Company Directors who have taken the bold step of recommending Boards appoint a member to be responsible for their Cyber Risk. However, a board of directors is jointly and severally liable, so as a collective they still need to be confident that they understand this risk.
Only 10% of Australian companies buy Cyber Insurance4
The statistic is alarming considering that the Australian corporate regulator has made it very clear that it views cyber resilience as an issue for which directors are directly accountable!
Example 1: A recent and very public example of board members being held responsible was in the US, with retail company Target. The board was advised by their insurance broker to purchase a larger limit of Cyber but they decided against it and were held liable.
Example 2: Following the $400,000 fine to UK company, TalkTalk, for the IT security failings that led to the company being hacked in 2015, the CEO at the time has come forward in an interesting and pertinent interview with Computer Weekly: http://www.computerweekly.com/news/450419002/Business-not-taking-cyber-security-seriously-enough-says-Dido-Harding
Australia traditionally follows from a year or two after the US and UK and if their recent lawsuits are anything to go by, it is clear that Australian Directors & Officers may soon be held responsible for these data breaches.