By Ben Di Marco, Cyber Specialist - Australia and New Zealand and Jessica Wright, Regional Associate Director - Cyber, Asia, Willis Towers Watson
Companies looking to demonstrate a proactive framework should develop and test business continuity and incident response plans to ensure that the financial and reputational effects of a breach are mitigated as much as possible
The recent Australian LandMark White (LMW) breach demonstrates these concerns. On May 6 this year, LMW announced a December 2018 data breach had caused business interruption and a loss of revenue of approximately a $7 million. The company also saw a 50% decline in its share price immediately after it publicly disclosed the breach.In high profile incidents, the Board’s oversight of data security risk will be of keen interest to regulators and shareholders. A Board and company’s best defence in these situations is to demonstrate a proactive approach to cyber risk management covering people, processes and technologies. Companies looking to demonstrate a proactive framework should develop and test business continuity and incident response plans to ensure that the financial and reputational effects of a breach are mitigated as much as possible. Mitigation tools such as cyber insurance are also of key benefit and provide access to a practiced breach response manager coordinating the various third-party experts who might be needed to support the organisation such as forensics, IT, public relations, legal advisors, credit monitoring and identity theft experts. The costs of these experts are covered as part of standard cyber insurance coverage. Many organisations miss the mark on assessing their security posture because they do not consider the full spectrum of their company’s cybersecurity outside of technology. The NIST (National Institute of Standards and Technology) Cybersecurity Framework has five categories: identify, protect, detect, respond, and recover. Companies spend on average 1.7 percent of annual revenue on cyber-resilience, with the majority of this spending being allocated to technology which mostly falls in the “protect” category. Giving attention to talent investment, development of business continuity and incident response plans, employee training, and insurance, can ensure that all five categories under NIST are being addressed. Given the current risk landscape, cyber security will remain a key business concern for years to come. The extent of technical, people and process challenges influencing the risk can at times be overwhelming, however even single steps taken will improve resilience. Most importantly where companies focus on holistic concepts they will provide the best protection possible to both the balance sheet and their senior management.