Boards Feel Unprepared To Protect Themselves From Cybersecurity Threats While Data Breaches And Privacy Complaints Rise

In a recently published report by American cybersecurity and compliance company Proofpoint titled ‘Cybersecurity: The 2023 Board Perspective’, the sentiment from just under 60% of participating Australian board members is that they feel unprepared to cope with a targeted attack.  This is despite over 80% of participating Australian board members viewing cybersecurity as a priority and believing they have invested adequately in cybersecurity.  

This disconnect between board members’ awareness of cyber-risks versus their perceived readiness to deal with cyber-attacks needs to be carefully considered by all boards, particularly given the highly publicised data breaches over the past two years, including Australian Clinical Labs (February 2022), Optus (September 2022), Medibank Private (October 2022) and Latitude Financial Services (March 2023).

ACAPS 2023

The belief that cybersecurity is a priority aligns with the results of the Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey 2023 (ACAPS 2023) (released in August 2023). The results showed that:

  • 74% of Australians feel data breaches are one of the biggest privacy risks they face today;
  • 76% of Australians whose data was involved in a data breach said they experienced harm as a result;
  • 53% of Australians were willing to remain with an organisation that experienced a data breach provided the organisation promptly acts in respect of the breach, including:
    • quickly putting steps in place to prevent its customers suffering harm from the breach (62%);
    • improving its security practices (61%);
    • reporting the breach to affected individuals quickly (60%);
    • quickly putting steps in place to stop further damage from the breach (60%);
    • paying for customers to replace identity documents (59%); or
    • reporting the breach to the regulator quickly (57%)
  • 64% of Australians experienced a privacy breach (being a problem experienced with the handling of their personal information and as distinct from a data breach) in the 12 months before completing ACAPS 2023 and experienced harm as a result, including:
    • a loss of trust in the organisation’s information handling practices (53%);
    • an inability to find out how personal information was being used (31%);
    • psychological harm such as stress or anxiety (24%); or
    • identity theft (19%).

ACAPS 2023 also disclosed that:

  • the majority of Australians (87%) believe organisations should be held responsible if they experience a data breach affecting individuals’ information; and
  • two in five in Australians (42%) believe the directors of those organisations should be held accountable.

Meanwhile, OAIC’s Annual Report for 2022-23 (released in October 2023) revealed that OAIC:

  • received 34% more privacy complaints than in 2021-22 (a record number of 3,402) and finalised 17% more privacy complaints (2,576);
  • handled 7% more privacy enquiries than in 2022-22; and
  • received 5% more notifications under the Notifiable Data Breaches scheme than in 2021-22 (from companies ranging from health service providers, finance, insurance and legal, accounting and management services).

FINSIA 2023

The view that organisations need to be better prepared to handle cybersecurity threats is also shared by the authorities.

At the Financial Services Institute of Australasia The Regulators event held in early November 2023, APRA chair John Lonsdale said that cybersecurity was a key focus and warned that many of the big firms regulated by APRA were not doing enough to protect consumers.  He further confirmed that many entities were still struggling with foundational issues, ensuring third party control, making sure security control testing is in place and regularly testing incident response plans.

In addition, the Reserve Bank of Australia Assistant Governor (Financial System) Dr Brad Jones said that the entity is responsible for third party risks introduced through using a third party and managing such risks appropriately.  He said this was particularly true in the information technology area, where financial institutions cannot absolve themselves of ultimate responsibility for customer security and privacy by outsourcing IT functions.  Dr Jones also referenced the importance of organisations carefully managing associated risks and upgrades associated with ageing infrastructure.

Lavan comment

In the landscape of expanding regulatory powers, organisations must continue to educate their employees and executives to not only meet existing cyber-compliance obligations but to be confident in their ability to appropriately handle any cyber-breaches and to minimise the harm caused to customers.  

If you require support with cyber-protection planning, contact Partner Iain Freeman or Special Counsel Stephanie Tan to discuss how we can assist.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.