Did you know that all directors of Australian companies have a fiduciary duty to ensure a robust approach is taken towards cyber resilience? A breach of such obligations can leave directors potentially exposed to personal liability under section 180 of the Corporations Act.
Despite a wealth of information being available on cyber risks, it is still very common for businesses of all sizes (particularly SMEs) to underestimate their own exposure. Do not let your business, or yourself, be caught out. Take a moment to explore some common misconceptions about cyber-risk.
“I’m too small to be a target.”
While attacks against smaller companies do not make headlines, insurers claim they are frequent and increasingly severe. As of 2018, the Australian Small Business and Family Enterprise Ombudsman (ASBFEO) reported the following statistics:
- small business is the target of 43% of all cybercrimes;
- as a result of the 2017 Ransomware attacks, 22% of small businesses impacted could not continue operations;
- the cost to the Australian economy in relation to cybercrime is >$1b annually.
“We don’t collect sensitive data, so we have no exposure.”
Data breaches are just one of the many cyber risks facing businesses. Some more common examples include:
- electronic funds transfers are vulnerable to funds transfer fraud;
- social engineering scams are successfully hitting all businesses and industries;
- Given technology is increasingly utilised in day-to-day operations, businesses are exposed to events happening at a supplier’s operation causing significant delays and losses to their own business
“We’ve invested in our networks so that they are secure.”
Investing in security is paramount as this must be your first line of defence. However, particularly when humans are involved no one can ever be 100% secure. Cyber criminals are becoming increasingly sophisticated, relentlessly finding ways in which they can infiltrate networks. Further, some cyber threats do not necessarily involve accessing third party networks. Major examples are social engineering fraud or the actions of a rogue employee(s).
Refusing to purchase cyber insurance because you have IT security controls is akin to refusing to buy property insurance because you have physical security controls – the two should not be mutually exclusive.
“Our third party cloud provider is responsible for our data/networks.”
Incorrect in most circumstances. If the cloud service provider suffers an attack and goes down, meaning you cannot operate, it is your business that will potentially suffer first party business interruption and the additional costs incurred in attempting to continue trading. It can prove extremely difficult, potentially impossible, to recoup these losses from your IT provider.
CASE STUDY – Social Engineering/Fraud
A recent client issue involved the CEO being impersonated by a scammer who doctored an invoice and requested the Financial Controller pay $45,000 to a supplier. Despite having another member of senior management review and sign off – a process most would see as a good risk mitigation measure, the error was not picked up and payment was made. The issue was picked up when as second request (for $150,000) was made a week later and the relevant senior manager for sign off raised it with the CEO.
The language used in the initial request was tailored to sound like the CEO and did not have any broken English or grammar errors/inconsistencies that may give it away. Those involved with this type of fraud activity are getting more and more sophisticated. In addition, the bank did not provide compensation due to the authorisation levels used.
Don’t get caught out. Educate yourself and your staff around cyber security and understand how you can manage risks to address any vulnerability before it is too late.
It is more important than ever to keep your business data secure. As this is a complex area, please contact your accountant at Hoffman Kelly to arrange an appointment with our insurance specialist Coverforce 3LP for expert advice.