JO STEWART-RATTRAY
WHEN CYBERSECURITY FAILS, MATERIAL RISK GROWS by Jo Stewart-Rattray, Information Security Advisory Group, ISACA
Following a number of high profile data breaches in
for parliamentary consideration was to increase the
2022, it is clear board members and CISOs will need
maximum penalty from $2.2 million to $50 million, or
to take a broader view of the material risk arising
three times the value of any benefit obtained through
from data breaches and cyber threats. Data breaches
misuse of information, or 30 percent of a company’s
impacting millions of Australians have shaken
adjusted turnover in the relevant period, whichever
consumer confidence and motivated the government
is greatest. Although final legislation is pending at
to act decisively. As a result, boards and directors can
the time of writing, the government’s intention is
expect greater scrutiny.
clear: to strengthen the powers of the Australian Information Commissioner and the Notifiable Data
Boards, directors and security experts will be judged
Breach Scheme.
on their understanding of, and response to, material risk arising from unintended data breaches and
With rising penalties, organisations that previously
more frequent, malicious cyber threats. Material risk,
considered customer data as an asset may need to
including financial impact and reputational damage,
reframe their thinking and see unprotected data as
is growing.
a liability. Privacy breaches may require consumer compensation, for example to cover the costs of
FINANCIAL RISK IS BROADENING
new identification documents. It is possible legal
Financial risk is commonly considered in terms
action may arise from more serious customer losses
of lost revenue and the cost of remediation or
resulting from fraud enabled by the stolen data.
ransom payments following a breach. However,
92
organisations should also prepare for greater
RISK OF REPUTATIONAL DAMAGE
financial penalties if they fail to protect customer
There is a growing sense of desperation among
privacy. Following the data breaches at Optus and
consumers who think nothing can be done to protect
Medibank Private in October 2022, the government
them from cybercrime—as highlighted in ISACA’s
introduced legislation to increase penalties for
Consumer Cybersecurity 2022 survey—and boards
repeated or serious privacy breaches. The proposal
and security professionals need to act.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
