In it together - The arrival of vendor cyber risk in Australia

Posted June 20th, 2018 in australia, cyber risk, data breach, sme

It's been hard to miss the coverage of Australia's most recent high profile data breach over the past weeks. On 5 June PageUp issued their press release providing detail of the unauthorised activity on their IT System which has subsequently been followed by a number of updates

The bad news is affected data include names, street addresses, email addresses, and telephone numbers. The good news is that, according to PageUp, the threat has been contained and eradicated and no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected.

Cyber incidents are not new or uncommon, there were 47,000 cyber incidents in Australia last year and earlier this week Lloyd's ranked cyber attacks as the second biggest threat to the Australian economy

What made this incident compelling for so many is the high profile list of potentially affected counter-parties (those that I could find identified in the press so far):


The ripple effect of this incident is wide, but not surprising. Australian businesses are digitally interconnected like never before. We often think of supply chains in terms of growers, shippers, manufacturers, wholesalers and retailers but in our modern service economy, this has changed.

Take a moment to reflect on the customers and suppliers that make up your digital supply chain and it's not hard to see that when it comes to cyber risk, we're in this together!

When one of your customers or suppliers suffers a data breach that has potential to affect the day-to-day operations of your business it's only prudent for you to reach into the bottom draw pull up the "Contracts" folder in the shared drive and look for few answers in the supply agreement:

Who’s responsible for securing our clients' data?

What recourse do we have?

Is this a termination event?

For many Australian businesses, it might be the first time these questions are being asked, but anecdotally that is rapidly changing.

Increasingly, major Australian Corporates and Government Agencies are including contract terms that specify responsibility and recourse for cyber incidents as well as setting minimum security standards and mandating specific cyber insurance in the same manner Principals have addressed Personal Injury, Property Damage and Professional negligence in the past. This is not only for IT or SAAS providers but for all contracting parties.

When it comes to cyber risk management and insurance the United States has provided a consistent and reliable lead indicator for Australian business, a fact we were most recently reminded of with the introduction of mandatory breach reporting legislation here in February.

In the US, vendor risk assessment and management has been a significant point of commercial discourse for the best part of the last three years with supply chain professionals increasingly working with risk and insurance to form policies, execute contracts, monitor and enforce cybersecurity throughout their digital ecosystem.

US Companies are now actively managing vendor lists on cybersecurity and insurance KPIs with those unable to meet requirements left without a spot on the RFP list.

Along with diligent engagement of security professionals, Cyber insurance as huge role to play in ensuring that SMEs in Australia have the financial protection and emergency response capability required for them to stay on that list and stay in business if they suffer a cyber attack.

Take-up rates of cyber insurance in Australia are reported as low as 7%, as high as 14%. For SMEs which account for 57% of Australian GDP, the number is certainly at the lowest end of the range.

As Australian businesses of all sizes continue to evolve the way they understand, allocate and transfer cyber risk amongst each other, more will need to give serious consideration to cyber insurance rather than continuing to carry the risk from their ‘Digital Ecosystem’ on their own balance sheet.

To learn more about Edmund Protects Australian SMEs from the effects of Cyber Risk Click Here