3 minute read
material risk grows
JO STEWART-RATTRAY
WHEN CYBERSECURITY
FAILS, MATERIAL RISK GROWS
Following a number of high profile data breaches in 2022, it is clear board members and CISOs will need to take a broader view of the material risk arising from data breaches and cyber threats. Data breaches impacting millions of Australians have shaken consumer confidence and motivated the government to act decisively. As a result, boards and directors can expect greater scrutiny.
Boards, directors and security experts will be judged on their understanding of, and response to, material risk arising from unintended data breaches and more frequent, malicious cyber threats. Material risk, including financial impact and reputational damage, is growing.
FINANCIAL RISK IS BROADENING
Financial risk is commonly considered in terms of lost revenue and the cost of remediation or ransom payments following a breach. However, organisations should also prepare for greater financial penalties if they fail to protect customer privacy. Following the data breaches at Optus and Medibank Private in October 2022, the government introduced legislation to increase penalties for repeated or serious privacy breaches. The proposal for parliamentary consideration was to increase the maximum penalty from $2.2 million to $50 million, or three times the value of any benefit obtained through misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period, whichever is greatest. Although final legislation is pending at the time of writing, the government’s intention is clear: to strengthen the powers of the Australian Information Commissioner and the Notifiable Data Breach Scheme.
With rising penalties, organisations that previously considered customer data as an asset may need to reframe their thinking and see unprotected data as a liability. Privacy breaches may require consumer compensation, for example to cover the costs of new identification documents. It is possible legal action may arise from more serious customer losses resulting from fraud enabled by the stolen data.
RISK OF REPUTATIONAL DAMAGE
There is a growing sense of desperation among consumers who think nothing can be done to protect them from cybercrime—as highlighted in ISACA’s Consumer Cybersecurity 2022 survey—and boards and security professionals need to act.
The level of consumer concern about data privacy and security—and consumers’ awareness of identity theft, scams, fraudulent transactions and hacking—are important indicators of consumer trust. They illustrate the role cybersecurity plays in protecting consumers, and an organisation’s reputation and competitiveness.
The ISACA survey focused on the experiences and perceptions of consumers in relation to cyberthreats and the organisations they engage with. It highlighted the material risk to an organisation’s reputation, financials, competitiveness and potential for growth. When consumer trust falters, a business falters.
Boards rely on security professionals to play a critical role in bridging the gap between consumers’ experience and perception of cyberthreats and their expectations of an organisation’s ability to protect them and respond to cyberattacks.
Consumer concerns identified by ISACA include:
• A belief that cybercrime has increased in frequency. • A growing fear of personal identifiable information being stolen. • An expectation they will be the victim of cybercrime. • A belief that a business they engage with will experience a cyberattack. • A belief that breaches are being under-reported.
What should be of most concern to boards and security professionals is that, once trust is lost, consumers will sever ties with the business resulting in lost revenue and reputational damage.
While many security professionals are confident of their ability to detect and respond to cyberthreats, consumers feel increasingly helpless about protecting themselves.
However, organisations seen to have more robust protections and security practices than the norm are held in higher regard. In particular, consumers value more transparent reporting of breaches, businesses with certified cybersecurity professionals and the publication of independent grading or scorecards of security practices.
Robust digital trust strategies, better communication and transparency and an improved lived experience will all help to build greater consumer confidence and lay the foundations for organisations to thrive. Boards and directors have an increasingly important role to play in achieving that outcome.
ABOUT THE AUTHOR
Jo Stewart-Rattray—CISA, CRISC, CISM, CGEIT— is a member of the information security advisory group, ISACA, vice president - community boards with the Australian Computer Society and Director of the National Rural Women’s Coalition. She has more than 25 years of experience in the security industry. As the director of technology and security assurance with BRM Advisory she consults on risk and technology issues with a particular emphasis on governance and IT security in businesses, and regularly provides strategic advice and consulting to the banking and finance, utilities, healthcare, manufacturing, tertiary education, retail and government sectors.
www.linkedin.com/in/jo-stewart-rattray-4991a12
