UK Cyber Risk Survey Report reveals weaknesses in business’ dealing with suppliers
June 28, 2015 |
As the Board of Target USA will attest, or those that remain, making sure suppliers have adequate cyber security controls are critical in maintaining a proper data security system. Target’s massive data breach was instigated from a third party site which had poor data security. Businesses work their suppliers on line as much as in person. And that interconnection is growing not subsiding. According to a recent survey by an insurance broker Marsh, titled UK 2015 Cyber Risk Survey Report less than one in three companies surveyed review their suppliers cyber protection, or more accurately their exposure to a data breach. This raises compliance issues for companies under the Privacy Act 1988. There is every reason be believe the results of this survey would be replicated in Australia. Given the more anaemic enforcement of the legislation here the degree of preparedness might even be worse than that of the UK.
Other finds are:
- 11.1% of UK companies have cyber insurance although another 38.9% of businesses intend to obtain quotes for such products within the next year.
- 47.2% of businesses had “no plans” to take out cyber insurance.
- 48.6% of businesses believe they are not well enough informed to “assess the insurances available”.
- 61.1% of organisations have not yet made any attempt to estimate/calculate loss estimates of breaches
- nearly half of businesses did not have a full “incident response plan for material cyber events”, 22.2% do not have one at all while 26.4% have only a partial plan.
- 19.4% had board-level ownership of cyber risk exists,
- 40.3% of businesses experienced a cyber-attack in the past 12 months which is a rise year on year.
The results are sobering in terms of business governance. ASIC had made it clear that proper data security is an issue of governance (see my post from 6 April 2015 here). The Privacy Commissioner should regard it as important. Or at least it is an intrinsic part of the Australian Privacy Principles.
It is little wonder the conclusion of the Marsh report is slightly pessimistic as to the adequacy of both protection and (no doubt from Marsh’s perspective) insurance coverage when it states:
[…] UK Cyber Risk Survey Report reveals weaknesses in business’ dealing with suppliers […]