Click below to read our December Newsletter

Click below to read our November Newsletter

Click below to read our latest e-newsletter

This month – How will the insurance sector evolve post COVID-19?

Click below to read our latest e-newsletter

This month – What insurance brokers can do for your business

Click below to read our latest e-newsletter

How to keep COVID-19 out of your workplace

Click the link below to read our latest e-newsletter

Below is a link to educate brokers about data matching processes, which is now a requirement by the ATO to insure we are adhering to compliance profiling.

By clicking below you will be redirected to our Winter Newsletter for 2020

Under the Corporations Act, directors are required to have particular regard around their duty of care, due diligence and continuous disclosure obligations when running a company. This applies to directors involved in running a private, as well as a public organisation. Such obligations extend to all aspects of a business, including a business’s IT infrastructure and security.

Directors are no longer able to push the responsibility of cyber compliance on to the IT department or to a third party IT service provider. It is a director’s duty to be involved in managing and understanding the real risk associated with cyber security, along with ensuring a strong compliance regime exists that addresses cyber security within the business. Failure to discharge such duties can expose directors to claims from shareholders, along with investigations from regulators such as the Australian Investment & Security Commission (ASIC) and the Office of the Australian Information Commissioner (OAIC).

Australian Government agencies, not for profit organisations and all businesses with revenue greater than $3m have responsibilities under the Privacy Act 1988. Even those small businesses with less than $3m of revenue but who collect health information, sell and/or purchase personal information for a benefit have obligations under the Act. It is becoming more common for small businesses to ‘Opt In’ to the Privacy Act and therefore send a clear message to their clients that they are committed to strong privacy practices. In recent times the Australian Privacy Principals have been updated through the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). Australian Privacy Principal (APP) 11 requires entities governed by the Act to take reasonable steps to protect personal information it holds from:
(a) Misuse, interference and loss; and
(b) From unauthorised access, modification and disclosure.

Significant penalties may apply for breaches of the Privacy Act, including fines of up to $340,000 for individuals and $1.7m for organisations. With this in mind, directors of companies need to start understanding the following about their business.

  • Who is responsible for cyber security within the organisation? Is there a dedicated Information Security Officer? Do the Board of Directors have oversight around cyber security? For SME businesses, does the director(s) understand how IT is managed within the business? If it is
    outsourced, do they understand the terms and conditions in place with the outsource providers?
  • Does the company have policies in place that identify external and internal threats to the organisation? How does the organisation deal with mobile device security and off site access to systems?
  • Does the company have an incident response plan in place and how effective is this plan? Does it specifically deal with IT downtime caused by malicious threats and accidental human errors? Has the plan been tried and tested and is it distributed to key members within the organisation?
  • What insurance does the organisation carry to deal with cyber breaches? What are the limits? Are there specific exclusions which may remove cover for the organisation in certain ways? Is it a full
    cyber policy, or an add on policy? Does it provide access to a strong incident response team who can support an organisation when an incident occurs?

With obligations on directors increasing at a rapid rate, cyber risk management should now be at the forefront of all directors’ minds.

A message from our Managing Director, Tony McCormick.

The recent Cyber Attacks on the Australian Government Offices and Business is yet another reminder of how financially devastating these matters can be.

Many of these are not specifically targeting businesses, just mass attempts to get in to computer systems.

In March this year, we had a very small Cyber Incursion, by way of Business Email Compromise.

Quickly found and having our IT Managed Service Provider, working in partnership with our Insurer’s Cyber Security Firm, the problem was fixed very promptly.

As at yesterday we have costs of $56,632.13 and we still have some more costs to come.

All paid by our Insurer.  A quality Cyber Insurance Policy and Response Program.  The word quality is very important here.

The costs from our IT MSP (like many others, these costs are not covered in our regular Agreement), Cyber Security Firm, Specialist Vendor to establish and report on what the attackers looked at, notification to the OAIC (Office of the Australian Information Commissioner ) and we are still to finalise the last two aspects before this will be complete.

This was a very small attack but as you can see, costs have added up quickly and it will probably be four to five months of time to put this behind us.

As the Manager of our Cyber Insurance Placement Team said yesterday, “Scary times mate, any client that doesn’t have cyber insurance is risking their livelihood now!”

Please put in place as a matter of urgency, a high quality Cyber Insurance Policy/Program, that includes a very prompt, proven and effective Cyber Response arrangement.

Contact one of our Professional Account Managers to discuss.


A.P (Tony) McCormick and The MHI team.