Your Reputation
Your Reputation
If a company suffers a cyber-attack or ransomware demand, which is then publicised by the media, this negative press may concern customers and result in loss of trust in the company's ability to protect their personal and financial information, leading to a decline in customer loyalty and potential loss of business.
In addition, competitors may use the breach to their advantage, highlighting their own security measures to attract customers away from the affected company.
The Law
Breaching certain laws in respect to cyber security, can expose companies to wide public attention and loss of reputation. These laws include:
- The Privacy Act: The Privacy Act 1988 is an Australian law designed to protect individuals' privacy and regulate how personal information is handled by government agencies and certain private sector organisations.
- Cyber Security Act 2024: Recently passed, this Act mandates that organisations report ransomware payments and significant cyber incidents to the government.
- Corporation Act 2001: Directors and officers of companies have a duty to act with due care and diligence, which includes managing cybersecurity risks. Failure to do so can result in legal action for breach of duty.
Scale of the problem
The expose of cyber breaches by the media has become increasingly common, reflecting the growing frequency, severity and public interest in cyber incidents. Australian media outlets are pro-actively searching breach forums and darknet sites to expose Australian companies that are being extorted.
In addition, there is an increasing appreciation, both at a business and personal level, that the privacy and security of an individual’s information is extremely important. This appreciation exploded during 2022 with the Optus and Medibank hacks affecting millions of individuals. Post the Medibank breach, the Australian Cyber Security Minister described the damage as "potentially irreparable," highlighting the severe impact on customers whose sensitive health information was compromised.
Exposure Mitigation
To mitigate the risk of reputational harm due to an adverse media event, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:
- Have a well-defined incident response plan in place. This plan should outline the steps to take in the event of a breach, including communication strategies and recovery procedures;
- Maintain internal processes and procedures, so that employees are kept informed during an incident and also that they are aware of actions and communications they should and should not take in the event of an attack;
- Ensure compliance with all relevant laws and regulations, such as the Privacy Act 1988 and the Notifiable Data Breaches scheme in Australia.
Insurance Solution
Business Interruption causing Business Interruption Loss incurred during the Indemnity Period as a direct result of an Adverse Media Event arising from a Security Breach, Privacy Breach or Administrative Error.
