The Office of The Australian Information Commissioner (OAIC) has issued a pressed release about ransomware and impersonation fraud following the release of their January–June 2021 Notifiable Data Breaches Report.

The report looked at notifiable data breaches reported to the OAIC in FY21 Q3 & Q4. We’ve explained the report’s findings below, along with what they could mean for your business and the future of cyber insurance. 

At a glance: The OAIC January–June 2021 Notifiable Data Breaches Report

Top 5 Industry Sectors to notify data breaches

Sources of data breaches

Cyber Incidient Breakdown

The OAIC urges Australian businesses to maintain adequate privacy procedures

Throughout the report and subsequent press release, the OAIC reinforced the expectation that businesses:

This expectation extends to the threat of ransomware attacks and impersonation fraud. The Australian Information Commissioner and Privacy Commissioner Angelene Falk says:

We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware.

Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.

OAIC recommendations for preventing and responding to ransomware and identity fraud risks included: 

KBI recommends businesses seek cyber insurance

When commenting on the report, Commissioner Faulk acknowledged the rise of the dark web and the increasing ease with which cybercriminals can bypass entities’ impersonation fraud protection measures.

This is part of the reason that KBI’s lead cyber insurance broker Tyler Speers recommends pairing robust privacy protection measures with an equally robust cyber insurance policy: 

Strong cyber security policies and procedures can reduce your business’ risk of a cyber attack. But, they cannot remove that risk altogether. Cyber attacks can and do have significant financial repercussions for the businesses targeted. If your business is targeted, a cyber insurance policy can help cover costs associated with privacy lawsuits, regulatory defence, extortion demands, notification, and data recovery. It will also give you access to an emergency incident response team to put the situation in the hands of the experts.

Given the growing risk of ransomware and impersonation fraud, Speers recommends that all businesses who hold personal data seek cyber insurance. He also suggests that businesses with an existing policy have a proactive conversation about risks and cover requirements with their broker.

KBI predicts changes to the cyber insurance market in FY22

Increases in the number of ransomware and impersonation attacks could result in tighter underwriting criteria for cyber insurance policies in FY22, as well as harsher terms for cover. “We are already beginning to see policies that limit cover for ransomware payments,” says Speers.

Government legislation in response to the growing threat of ransomware attacks is also a possibility. In June, Tim Watts, a federal Labour MP, introduced the private member’s Ransomware Payments Bill 2021. If passed, this bill would require businesses to report ransomware demands to the Australian Cyber Security Center.

Key takeaways

To talk to a broker, or find out more about cyber insurance, visit our cyber insurance page.