Cyber-attacks are continuing to rise, yet we know finding cyber-criminals is no easy task. In fact, it’s rare they’re caught or held accountable for the damage they cause.

With increasing reliance on outsourcing IT services to third party providers, IT professionals are finding themselves at risk as individuals and organisations commence legal proceedings following a cyberattack.

So, what are the Duty of Care responsibilities for IT Professionals?

People and businesses of all shapes and sizes have a legal responsibility to take all reasonable measures necessary to prevent activities that could harm people and, or their property. The negligent or reckless behaviour of an individual or organisation may make them liable for any losses or harm due to that behaviour.

Reassuringly, many industries and professions have long-established codes of practice and standards that serve as a guide for legal decisions.

Industry Standards

Believe it or not, there are no widely accepted industry standards that protect clients from cyber-attacks. As such, much debate remains on whether service providers should bear any liability for cyber-attacks.

So, therein lies the challenge. At what point does the Duty of Care responsibility begin or end for an IT service provider?

A common practice for IT service providers is the use of contract disclaimers or detailed service level agreements that exclude liability for cyber breaches. However, without clear industry guidelines, the disclaimer may not stand up to scrutiny in a court of law.

Thus, while IT Service providers can clearly define their terms, limitations and their actions to protect against cyber breaches, the contracts may not offer complete protection from liability.

However, there are steps IT professionals can take to manage their risk.

Here are 7 actions IT Professionals can implement today based on recommendations by Brooklyn Underwriting:

1. Check you have Cyber Insurance

General business or professional insurances often exclude cyber insurance. Talk to your insurance broker about your insurance program and risk exposure. They can advise on the most appropriate policies for your business needs and guide you through the options for mitigating or transferring risk to insurance.

Hands working on digital device network graphic overlay

2. Ensure your IT systems are secure

While you may not be able to make your IT Systems iron-clad, you must take all reasonable steps to ensure they are secure and cannot be accessed via client networks. Segregate your networks where possible. Alert clients to new threats and record any conversations or emails.

Woman sitting behind multiple computer screens with data coding displayed across screen.

3. Implement an update schedule

Implement regular software and anti-virus updates to detect malware using an endpoint detection and response tool. Ensure you have a critical and non-critical patch management program, plus secure backups that you test annually.

File Security Online Security Protection Concept

4. Implement strict password management

Set multi-factor-authentication and a regular password change schedule for all access to your network and client networks. Additionally, schedule regular team training to ensure staff can identify and report phishing email scams or other potential cyber threats.

Notebook laying on laptop keyboard with multiple passwords written on it paper

5. Clearly define your terms of engagement and responsibilities

Detail and agree your terms, terminology and responsibilities for cyber security in all contracts and service agreements. Where you have responsibility, invest in training to ensure your team possess the skills to meet your duty of care. Be diligent in reporting system issues to clients and agree the actions, costs and timeframes required to fix any issues. Be sure to respond promptly to any service complaints and keep a record of all events, conversations, and emails.

Close up of businesswoman signing documents in the office.

6. Mitigate cyber risk

With uncertainty on liability, it is critical to mitigate the risk of cybercrime. Therefore, take all the necessary steps to reduce the risk of a cyberattack for you and your clients. Afterall, it may reduce the impact on customers, suppliers and other affected parties and may reduce the likelihood of a claim against you or your client.

Computer Security System Data Protection Graphic

7. Prioritise training

No matter the appeal, if a new or existing client requests work that is beyond your expertise, it is advisable to consider whether to undertake the work.

Equally important is ensuring your team maintain and regularly upgrade their skills. Ensure your team stays up to date on regulatory requirements and how to tackle emerging cyber threats.

Full concentration at work. Group of young business people working and communicating while sitting at the office desk together with colleagues sitting in the background


Transferring cyber risk to insurance

Clear Insurance helps businesses identify, understand, and manage business risks, including cyber security risks. Our risk and insurance review assesses your risk exposure and recommends the most appropriate ways to transfer risk to insurance.

Contact Clear Insurance today for advice.

This article is based on an original article titled ‘Where does it end? An IT professional’s duty of care responsibilities’ by Brooklyn Underwriting, a division of AXA XL.

General Advice Warning: This advice is general and does not take into account your objectives, financial situation or needs. You should consider whether the advice is appropriate for you and your personal circumstances. Before you make any decision about whether to acquire a certain product, you should obtain and read the relevant product disclosure statement.

Clear Insurance Pty Ltd. ABN. 41 601 916 689. AFSL No. 548953.