New data on cyber breaches exposes industry specific trends
New data published by the Office of the Australian Information Commissioner (OAIC) on 5 September provides insight into the evolving landscape of notifiable data breaches sustained by Australian businesses.
We discuss the trends reported with Jonathan McCoy of Casobe & Co, a cyber security specialist and member of Bellrock’s panel of Independent Third Party Experts, to whom we refer clients for Cyber Risk Assessments.
What is the NDB Scheme?
The Notifiable Data Breaches (NDB) Scheme was established in 2018 to drive awareness around security standards and increase accountability for the protection of personal information, ultimately improving customer protections. Under the scheme any organisation covered by the Privacy Act 1988 that experiences an eligible data breach must notify the OAIC.
Reports are made publicly available twice per year, tracking the sources of breaches and exposing emerging issues and areas for attention by businesses. The most recent report released 5 September 2023, captures notifications received between 1 January to 30 June 2023. Statistical comparisons are to the period 1 July to 31 December 2022 unless otherwise stated.
What constitutes a notifiable breach under the scheme?
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
- this is likely to result in serious harm to one or more individuals, and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
Top 5 industry sectors impacted by breaches
- Health service providers 15%
- Finance 13%
- Recruitment agencies 8%
- Legal, accounting & management services 6%
- Insurance 6%
Why are some sectors targeted by cyber criminals more than others?
Jonathan McCoy:
The use of the data by a threat actor is something that is not often truly understood. Quite often, this can be for inter alia ideological reason. The five areas above, will invariably contain a significant portion of sensitive Personal Identifiable Information (PII), and where a threat actor’s demands do not yield fruits direct from the company subject to the breach, there are secondary options to approach the individuals directly.
It is also important to note, the data relates only to reported breaches. Moreover, the key five areas above can often have differing regulatory considerations, such as APRA CPS234 which place a higher emphasis on breach detection and response, throughout the supply chains. Therefore, detection mechanisms to identify breaches are more mature within the industry. This does not mean however, that other breaches have not otherwise occurred (in other sectors), are yet to be discovered, and where appropriate reported into the OAIC.
Looking beyond this data, a broader view to take is that breaches will occur in all industries, with varying size and success. I.e., A small cake shop will carry a lower risk of cyber incident, than a national bank with high profile clients. In any case, to give context to a breach we must probe into the individual circumstances surrounding it. The nature, motives and ways of the threat actor against a potential risk exposure (including all third party providers with data access in the supply chain).
Time taken to identify breaches
- Health service providers: 81% notified in under 30 days
- Finance: 69% notified in under 30 days
- Recruitment agencies: 97% notified in under 30 days
- Legal, accounting & management services: 73% notified in under 30 days
- Insurance: 92% notified in under 30 days
Why is it vital to respond quickly to a cyber incident?
Jonathan McCoy:
Dealing with a data breach, ordinarily effects the entire enterprise, not just the IT function. The business impact in dealing with a data breach, (not withstanding media scrutiny, third party liabilities and first party losses), can be exceptionally complicated and difficult. Having a pre-prepared Security Breach Plan and playbook, which is tried and tested, ordinarily allows clarity of thought in the execution of incident response. It is not being administered in situ to varying states of information discovery. The longer the business sustains an impact, the more this will effect revenue, profit and more importantly reputation. Dealing quickly, efficiently and systematically ensures that a business can be reasonably prepared to ensure minimal business interruption (in whatever guise).
What are the crucial factors determining an organisation’s response time?
Jonathan McCoy:
An organisation will need to undertake a business impact assessment to determine both external and internal risk factors that can impact the organisation. In evaluation of the vulnerability and potential impact of those risks to the organisation, an organisation can reflect on its risk appetite statements, to ensure that they are appropriate and able to identify and manage any maximum exposure that they can sustain, recovery points and recovery times required, and more importantly the resources that will be required to establish these.
The consumer’s perspective
According to OAIC’s Australian Attitudes to Privacy Survey 2023, 47 per cent of Australians said they would close their account or stop using a product or service provided by an organisation that experienced a data breach. The most important ways participants thought their information could be protected was for organisations to only collect information that was necessary to provide the product or service. The second was for organisations to take proactive steps to protect the information they hold. These sentiments reflect the significant reputational damage organisations face in the aftermath of a breach. The recent spate of high profile data breaches (most notably Optus and Medibank) have affected millions of Australians and driven increased awareness of data privacy issues among consumers. In fact 74 per cent of Australians surveyed, nominated data breaches as one of the biggest privacy risks they face today.
Bellrock’s approach to cyber risk
Bellrock recommends a wholistic approach to managing cyber risk which involves risk assessment and strategic risk management protocols to develop cyber preparedness. Cyber liability insurance should be seen as a last line of defence for cyber risk, and terms will only be available if an appropriate level of cyber maturity within an organisation can be demonstrated to insurers.
To arrange a Cyber Risk Assessment please contact our Team of Risk Advisors via the form below.