It’s been more than three years since the Australian Government introduced its mandatory reporting regime for data breaches. The Government announced plans in late 2021 for a mandatory reporting regime for ransomware attacks following the significant rise in these incidents.

 

What we have seen is that this space is constantly evolving and entities cannot take a ‘set and forget’ approach when it comes to their privacy and cyber security posture. Everyone from frontline staff to the Board has a role to play and we need to see entities move from a reactive approach to a proactive and resilient approach to dealing with privacy issues and cyber security threats.

 

This means a clear privacy and cyber framework, clear roles and responsibilities and regular training and education of staff through to the Board.

 

To help you with this, we have produced the following cybersecurity checklist.

 

We regularly advise clients on how they can implement and manage a proactive cybersecurity program. We have condensed this advice to the following checklist of questions you need to be asking within your organisation.

 

  • Is cybersecurity a Board concern? ASIC makes it clear, given the magnitude and prominence of cyber risk for most organisations, that informed oversight of risk involves the Board being satisfied cyber risks are adequately addressed by the risk management framework of the organisation.
  • Is your data breach response plan regularly reviewed and kept up to date for the latest market and regulatory developments such as the increased prevalence of ransomware attacks and new legislative obligations?
  • Do you have a privacy management plan to embed a culture of privacy, establish robust and effective privacy practice, implement procedures and systems, evaluate what you are doing and enhance your response?
  • Do you have appointed privacy and cyber champions within the business? These issues are a whole of business concern and not merely the responsibility of IT or legal.
  • Do you provide regular training and education which is ‘fit for purpose’ at all levels, from front line staff (such as phishing email campaigns) to the executive and the Board (e.g. running table top and hypothetical scenarios)?
  • How do you monitor and stay on top of the latest developments and trends?
  • When was the last time you conducted a data mapping exercise to understand the data you hold and the systems used?