CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.


10 Considerations for Developing a Data Breach Response Plan
Operation Resilient Shield
Victorian Racing Integrity Commissioner Seeks Access to Metadata
EU and U.S. Agree in Principle on New Trans-Atlantic Data-Transfer Agreement
Top Five Cybersecurity Insurance Tips
Cybersecurity Risk Management – Financial Services Entities Required to Act
Cyber Insurance is Only a (Small) Part of the Solution
New Data Retention Laws Implementation Deadline
Quick Tips for Entities Looking to Protect Against Cyber Breaches
European Court of Justice Declares EU/US Safe Harbour Decision Invalid

10 Considerations for Developing a Data Breach Response Plan

By Jim Bulling and Michelle Chasser

A quick response to a data breach is key to mitigating its impact. The Office of the Australian Information Commissioner (OAIC) recommends that all entities have a data breach response plan in place and has recently released draft guidance on how to develop such a plan.

The guidance recommends that the plan include setting out the actions to be taken in the event of a breach and the team members involved in those actions. Here are some questions for your organisation to consider based on the OAIC’s draft guidance to developing a data breach response plan.

1. What constitutes a data breach?

2. What actions should your staff take?

3. Who is a member of the response team?

4. When does a breach needs to be escalated to senior management?

5. Who is responsible for contacting and managing any affected individuals?

6. Who decides whether to contact law enforcement or regulators?

7. How are records of data breaches kept?

8. How will you identify and address any weaknesses in data handling that contributed to a data breach?

9. Are there any steps your cybersecurity insurance policy requires you to follow?

10. How will you test your response plan?

The OAIC’s Guide to developing a data breach response plan Consultation draft can be found here.

Operation Resilient Shield

By Jim Bulling and Michelle Chasser

The US and UK are set to launch Operation Resilient Shield later this month. Operation Resilient Shield is a cybersecurity exercise to test each country’s readiness to withstand a serious attack designed to steal financial information and disrupt financial systems. Banks and government agencies in both countries will be involved.

As with the UK’s previous large scale cybersecurity exercise in 2013, Operation Waking Shark II, not a lot of detail about the operation has been released. The UK Computer Emergency Response Team (CERT) will be overseeing the operation and is thought to be focusing on communication between the two governments and the participating banks as well as amongst the participating banks themselves.

The joint UK US operation was originally announced in January 2015 by UK Prime Minister David Cameron and US President Barack Obama as part of an agreement between the two countries to develop cybersecurity cooperation principles.

EU and U.S. Agree in Principle on New Trans-Atlantic Data-Transfer Agreement

By Cameron Abbott and Melanie Long

On 26 October 2015, European Commissioner Vera Jourová, announced that the European Union had agreed in principle with the US on a new trans-Atlantic data-transfer agreement. Commissioner Jourová made the announcement in a speech, before the Committee on Civil Liberties, Justice and Home Affairs, which addressed the recent judgment of the European Court of Justice that invalidated the safe harbour scheme between the two countries (Schemes decision). Commissioner Jourvá said, “there is agreement…in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She also added that she expected both sides to make progress on the remaining technical points of discussion by mid-November, when she is scheduled to visit the US. The European Commission is also planning on issuing an explanatory Communication on the consequences of the Schemes decision so that businesses and industry have ‘clear explanations and a uniform interpretation of the ruling.’ The European Commission are also working towards a pending deadline set by European data protection authorities who have said that if, by the end of January 2016, no appropriate solution is found with the U.S. authorities, they will take all necessary and appropriate steps (including enforcement action) to enable data transfers to the U.S. that respect fundamental rights.

The European Commission’s press release can be found here.

Top Five Cybersecurity Insurance Tips

By Jim Bulling and Roberta Anderson

The increased risks posed by cybersecurity breaches has meant that many organisation are looking to insurance to address some of the exposure. But cybersecurity insurance is still new and there are things which companies wishing to purchase cybersecurity insurance should look out for. Here are five tips if you are considering obtaining or renewing a cybersecurity insurance policy.

Read More

Cybersecurity Risk Management – Financial Services Entities Required to Act

By Jim Bulling

It seems clear following the release in March this year of ASIC Report 429 Cyber Resilience, that all Australian Financial Services Licensees and superannuation funds are currently required to include in their risk management framework measures aimed at addressing the risks posed by cybersecurity breaches.

In addressing the risks ASIC recommends that the U.S. National Institute for Standards and Technology (NIST) framework is a relevant risk management tool. The NIST standards set out the key objectives of an appropriate risk framework:

  • identify the critical assets and governance processes
  • protect critical assets
  • detect breaches and incidents
  • responses to breaches and incidents
  • recovery and reinstatement of systems.

You can download a copy of the framework here

These objectives will need to be merged into the existing financial services policy frameworks which financial services entities already have in place.

Cyber Insurance is Only a (Small) Part of the Solution

By Jim Bulling

Insurers in the U.S. and Europe are forecasting that the market for cyber insurance will grow exponentially in the next five years as more companies look to beef up protection against malicious cyber attacks.

While the insurers see a significant new market emerging, there are signs that they are wary of the risks and this is impacting on premiums and the limitations being placed on cover. There are a number of insurers offering cyber cover in the Australian market and companies looking for additional protection would be well served by closely examining the terms of the proposed cover to ensure it extends to the more significant cyber risks and does so in a way that complements rather than overlaps the existing insurance program which an organisation has in place (eg Public Indemnity , Directors and Officers Liability, Crime and Property).

It is also worth noting that insurance should only be seen as one component of an organisation’s risk management processes around cybersecurity. A leading insurance broker has suggested that investment in technology is the most important factor in reducing the risk profile while the contribution from insurance is much more modest and to be effective needs to be accompanied by investment in technology.

Quick Tips for Entities Looking to Protect Against Cyber Breaches

By Jim Bulling

Research in Australia and overseas suggests that most cyber breaches can either be prevented or the impact of any attack can be significantly limited by a range of low cost and easy to implement measures. These include the following:

  • Username and password standards should be sophisticated.
  • Administrative and privileged access should be controlled.
  • Undesirable applications should removed.
  • Automated patching tools and processes should be used.
  • Data should be backed up regularly.
  • Access to mobile devices should require authentication and data should be encrypted.
  • Anti virus software and filters should be used.

Research released by the Australian Defence Signals Directorate (DSD) indicates that at least 85% of the cyber intrusions that the DSD has responded to would have been mitigated had organisations implemented the above strategies.

European Court of Justice Declares EU/US Safe Harbour Decision Invalid

By Cameron Abbott and Melanie Long

The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”

The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The European Court of Justice’s press release can be found here.

To read the full judgment of the European Court of Justice click here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.