Accountancy Insurance associate director of professional risks, Karen McDonald, told Accountants Daily that the Privacy Amendment (notifiable data breaches) Act 2017, which amended the Privacy Act 1988 (cth), impacted reporting requirements for accounting firms that suffer data breaches.
“With the changes to the Privacy Act, businesses over a certain size will have to report any data breaches and if the privacy commissioner deems that they hold inappropriate security systems, then they could be fined $360,000 for individuals or $1.8 million for businesses,” Ms McDonald said.
As well as ensuring they have sufficient security systems in place, Ms McDonald said accounting firms should be careful to review their cyber insurance policy in the event of a system hack.
“Most insurance policies exclude cyber attacks, so what firms need to do is take out a specific cyber insurance policy,” she said.
Ms McDonald said there are often three components to a cyber security insurance policy.
“Firstly, it covers first-party. So, say, for instance a staff member opens up an Australia Post email and in there is a virus, and it shuts down their system for a few days – it covers the cost to restore their own system,” she said.
“The second component is third-party. So, say, for instance they were hacked and their client's data was made available in the cyber world; their clients then could sue them for breach of privacy.”
“The third part of the policy is loss of profits. So, say, for instance they were down for five days, it would cover the loss of profits.”
Ms McDonald said she expects more firms to consider cyber insurance, with only 2 per cent of all businesses currently using cyber policy.
“The changes to reporting that are going to come into effect over the next 12 months, that's where we're going to see a lot of people buying cyber insurance,” she said.