The Law

Cyber attacks can have a significant impact of revenue and profitability. There are also legal implications:

• The Privacy Act, including Notifiable Data Breach requirements, applies to private sector organisations with an annual turnover of $3 million or more, however there are certain types of businesses with less than $3 million in annual turnover that are not exempt from the Privacy Act. These include health service providers, businesses that hold tax file numbers and credit reporting bodies.

• On 25th November 2024, the Federal Government passed the Cyber Security Act 2024 (“Cyber Security Act”), which requires organisations to report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate. Ransomware reports are to be made within 72 hours of payment and a failure to comply will result in a civil penalty of 60 penalty units (A$93,900).

• There have recently been a number of “cyber incident” sanctions imposed against certain ransomware bad actors and breaches of sanction laws can be a serious criminal offence, punishable by potential fines for entities of the greater of 10,000 penalty units ($3.13 million as of 1st July 2023) or three times the value of the illegal transaction.

Scale of the problem

Ransomware attacks can result in lost revenue and profit, with the frequency and complexity of these attacks increasing over the years. In extreme circumstances, businesses in Australia have gone out of business following a cyber-attack.

Exposure Mitigation

To mitigate the risk of privacy and security breaches, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:

• Utilise multi-factor authentication (MFA): Add an extra layer of security to your remote access points by requiring more than one form of verification to access them.

• Maintain regular backups: Ensure your backup strategy will allow you to quickly resume activities after a privacy incident to minimize downtime and disruption.

• Educate and train employees: Provide ongoing cybersecurity training to help staff recognize and respond to threats such as phishing and social engineering attacks.

• Maintain up-to-date software and security patches: Regularly update all software, including operating systems and security tools, to close known vulnerabilities and protect against emerging threats.

• Maintain up-to-date operating systems: Ensure that your operating system (e.g. Windows) is kept up to date to protect your network from new threats.

Insurance Solution

Business Interruption causing Business Interruption Loss incurred during the Indemnity Period as a direct result of: i. the total, partial or intermittent interruption or degradation in service of the Computer System operated by the Insured, caused by a Security Breach or Administrative Error; or ii. a Privacy Breach.

Business Interruption causing Business Interruption Loss incurred during the Indemnity Period as a direct result of: i. the total, partial or intermittent interruption or degradation in service of the Computer System operated by an Outsourced Service Provider, caused by a Security Breach or Administrative Error; or ii. a Privacy Breach.

Business Interruption causing Business Interruption Loss incurred during the Indemnity Period, caused directly by a System Failure.

Business Interruption causing Business Interruption Loss incurred during the Indemnity Period as a direct result of an Adverse Media Event arising from a Security Breach, Privacy Breach or Administrative Error.

Business Interruption causing Business Interruption Loss incurred during the Indemnity Period as a direct result of an Adverse Media Event arising from a Security Breach, Privacy Breach or Administrative Error.

The reasonable professional fees and expenses incurred by the Insured in quantifying a Business Interruption Loss, subject to the Insurer’s prior written consent, before incurring such fees or expenses.