The Notifiable Data Breaches (NDB) scheme may have come into effect over a year and a half ago, but it seems there’s still significant work to be done around education after a new report revealed huge portions of the market remain unsure about how the legislation impacts them or their organisation.
Released yesterday, Chubb’s SME Cyber Preparedness Report found that just 31% of Australian SMEs are aware of their obligations under the NDB scheme, while 47% said they are not aware.
The remaining 21% of SMEs surveyed said they did not fall under the scheme, which applies to any entity with existing obligations under the Privacy Act, to secure personal information.
John DePeters, Chubb’s cyber and technology practice leader, told Insurance Business that the findings were somewhat disappointing but didn’t necessarily come as a shock to the insurer.
“That figure of 47% is certainly a bit higher than you’d hope but it didn’t necessarily come as a surprise to us,” he said. “Frankly, it’s a complex issue and there’s still a lack of awareness.”
While DePeters acknowledged the complexity of the NDB scheme, he also stressed that it’s vital for the industry to support SMEs in gaining a better understanding of their obligations – otherwise, they risk a string of serious repercussions.
“The direct and most serious knock-on effects can be fines and penalties,” said DePeters. “Beyond that, the effects are in the areas of reputational harm and, in some cases, liabilities to customers – whether that’s consumer customers or even commercial customers.”
Regardless of whether personal or corporate information is compromised, liabilities can arise from those parties being impacted by cyber incidents, warned DePeters.
“Coming back to reputation, it’s integral to any business to be able to effectively respond and maintain their reputation through these incidents and that’s really a key knock-on risk,” he added.
Andrew Taylor, Chubb’s cyber underwriting manager for the Asia-Pacific region, also weighed in on the report, pointing to a split between corporate Australia and its SME counterparts.
“While larger companies seem to understand their obligations, SMEs are less clear,” said Taylor. “This is a huge cause for concern.”
According to the report, not only are many SMEs unaware of their obligations, even those that are aware still harbour uncertainties over the type of data breaches requiring notification.
“A cyber incident can be catastrophic for a smaller organisation, and this lack of understanding around reporting obligations raises the stakes further,” said Taylor. “While the NDB scheme is receiving more notifications, it is highly likely that many more breaches have gone – and continue to go – unreported.”
According to the Office of the Australian Information Commissioner (OAIC), the NDB scheme received 967 breach notifications from July 01, 2018 through to June 30, 2019.