A cybersecurity incident is reported about every 8 minutes in Australia causing significant business disruption and loss[i]. However, there is still a lack of understanding of regulatory obligations concerning cybersecurity and privacy risk management and knowing how to respond to cyber incidents and data breaches and the reporting requirements in respect of cyber incidents and data breaches.
Companies which experience cybersecurity attacks and do not have adequate cybersecurity risk management plans, policies, systems and controls in place are at risk of prosecution by regulators for contravention of the Corporations Act and the Privacy Act. They are also exposed to significant business disruption extending to supply channels and customers, resulting in financial losses and reputational damage and damages claims by parties affected by the cyber incident.
Company directors and other officers also face legal action for failing to exercise their duties in the management and control of the company with a reasonable degree of care and diligence[ii] if they have not implemented appropriate cybersecurity risk management and cyber resilience plans. Although a recent survey of company…
