Hung out to dry – the risks of cyberwashing
The evolving cyber threat landscape poses challenges for businesses of all sizes and across industries and sectors. Surveys consistently reveal cyber risks as a top concern amongst businesses from SMEs to global companies.
Cyber Warden’s Small Business Cyber Security Pulse Check Report 2024 found 82% of Australian small business owners and staff are concerned about cyberattacks – unsurprising given 82% of businesses had experienced a cyber incident in the past 12 months. According to the Allianz Risk Barometer 2025, cyber incidents are the top global business risk for the fourth year running with 38% (56% in Australia) of respondents identifying cyber threats as their most significant concern. Rubrik Zero Labs’ The State of Data Security in 2025: A Distributed Crisis study found 90% of the global firms surveyed reported at least one successful cyberattack in 2024, with nearly 20% saying they endured over two dozen such incidents in the year.
Three-quarters of Australian businesses expect to face a cyber breach in 2025, according to research from cybersecurity firm Zscaler.
In response to the growing awareness of cyber risks, many businesses are rightfully focussing on cybersecurity. While spending on cybersecurity is increasing around the world – set to rise 15.1% to reach US$212 billion globally this year, according to Gartner – some businesses are getting ahead of themselves when it comes to declarations about their cybersecurity credentials.
Keen to be seen to be on top of cyber threats, some are over exaggerating the business’ cybersecurity. Cyberwashing – the practice of organisations misleadingly promoting their cybersecurity measures or data privacy practices to appear more secure or responsible than they actually are – presents its own risks for business.
Cyberwashing on the rise
“Cyberwashing means using misleading, deceptive or exaggerated claims about the cybersecurity of a product or service, or the company’s data handling practices,” notes law firm Dentons.
“The term can also encompass misleading someone about the cause of a cyberattack, or its severity, or the company’s response to it.”
Research from Monash University has highlighted the growing prevalence of cyberwashing among Australian organisations.
Lead author of the Cyberwashing: The disconnect between cybersecurity claims and real practices report, cybersecurity expert Professor Nigel Phair from the Faculty of Information Technology, said cyberwashing creates a false sense of security and can have serious consequences for consumers and businesses alike.
“Over the past few years, we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank and Lattitude Financial Services. In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place,” Professor Phair said.
“This kind of cyberwashing erodes trust in organisations and, as we have seen, can result in severe financial, reputational and legal consequences, especially in the event of a data breach.”
Data breaches, Phair noted, have an “interrelationship with cyberwashing”. Resultant legal actions by regulators or consumers – which test in court whether the breached organisation had sufficient cybersecurity practices in place to safeguard consumer data – often expose the sizeable gap between a business’ stated cyber capabilities and the cyber controls in place.
ASIC has cybersecurity in its sights
In recent years, the Australian Securities and Investments Commission (ASIC) has made lapses in cybersecurity a target enforcement area, with the corporate regulator considering that ensuring ‘good cyber risk management’ is in place forms part of a director’s duty to act with care and diligence.
ASIC Chair Joe Longo has urged boards to prioritise addressing cyber weaknesses and flagged that failure to give cybersecurity and cyber resilience sufficient priority “creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”.
Nominating ‘licensee failures to have adequate cybersecurity protections’ as an enforcement priority for 2025, ASIC is investigating how directors have prepared for and responded to cyberattacks. Legal action is looming against some unnamed individuals, reported AFR.
One case has been announced, with ASIC revealing it is taking legal action against FIIG Securities Limited in the Federal Court. ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place. FIIG’s alleged cybersecurity failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web. ASIC is seeking declarations of contraventions, civil penalties and compliance orders.
This is the second time ASIC has pursued an AFS licensee for failing to implement effective cybersecurity risk management systems. The first landmark case was brought against RI Advice in 2022. The Federal Court found RI Advice breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks. The financial services firm suffered numerous cyber incidents between 2014 and 2020, including one where hackers had access to several thousand client files which went undetected for five months. RI Advice was ordered to pay $750,000 towards ASIC’s costs.
Given ASIC’s enforcement priority, it is not unreasonable to expect the regulator to have cyberwashing on its radar too. ASIC commissioner Simone Constant has said companies will not get away with paying lip service to cyber defence and must provide evidence they had performed their duties if their organisation was breached by cybercriminals.
“We don’t want to see the rise of cyberwashing. When companies make disclosures, public statements and give assurances about their cyber safety … they need evidence,” said Ms Constant.
Cyberwashing: a focus for data breach class actions
It isn’t only the regulators that are going after companies that fail in their cybersecurity, litigation is on the rise too.
When cybersecurity failings lead to an avoidable breach or incident, the opportunity for legal action may present itself. And the failings could also relate to cyberwashing.
One example is the Optus data breach in 2022 which compromised the personal details of nearly 10 million customers. This not only resulted in a lawsuit brought by the communications regulator (with a potential maximum fine of $900 million if found guilty), but also attracted a class action lawsuit with the plaintiffs alleging that Optus failed to protect, or take reasonable steps to protect, the personal information of its current and former customers.
Another example is the Medibank data breach also in 2022 which saw the personal information of 9.7 million Australians exposed. The private health insurer faces huge fines from the Office of the Australian Information Commissioner if found to have breached the Privacy Act and also a class action lawsuit on behalf of individuals who were affected by the data breach.
Law firm Allens notes the common element across the class action claims is an overarching allegation that:
- the defendant made promises and representations to consumers in its privacy policies, contracts and other material about the systems and processes it had in place to comply with its data handling and cybersecurity obligations, and
- these promises and representations were false.
“This means that, for corporate Australia, statements companies make about their security and data handling practices and data breaches present the biggest class action risk at this time,” stated Allens.
The lawyers note that companies need to be careful about statements they make:
- in the aftermath of a cyber incident about the nature and severity of the incident, and
- about their security posture more broadly, their compliance with relevant regulatory regimes, and the cyber risks that they face.
Ramifications for cyber insurance
“Cyberwashing refers to the practice of organisations misleadingly promoting their cybersecurity measures or data privacy practices to appear more secure or responsible than they actually are. This can involve overstating the effectiveness of their security protocols, downplaying past data breaches, or using vague language to create a false sense of security among consumers and stakeholders,” according to Professor Phair.
One of those stakeholders could be insurers.
In line with the growing awareness around cyber risks, more businesses are looking at cyber insurance. According to IT security specialist Artic Wolf, 43% of businesses in Australia and New Zealand currently hold cyber policies and 57% are considering one.
Part of the application process for taking out cyber cover is presenting cybersecurity information to prospective insurers. Insurers use the information provided in the proposal to help them determine the business’ risk profile, decide whether to offer cover, and on what terms and conditions.
Cyber insurance policies generally require businesses to meet certain security standards and accurately report their cybersecurity practices. As such, the information provided during the underwriting process is crucial and prospective policyholders have a legal obligation to provide accurate details.
If it is later found that the policyholder made false or misleading statements in their application, the insurance company could limit any payout or cancel the policy.
It is not only cyber policies that could be impacted. Any policy where details about cybersecurity are required, for example in some D&O covers, could be jeopardised if false or misleading information was provided.
“If a company has misrepresented its security posture through cyberwashing, it may face difficulties in making successful claims,” noted Professor Phair.
However, the Monash report also notes that insurers have a ‘check’ role in the fight against cyberwashing: “Insurers could deny coverage if it is found that the business failed to maintain its stated level of cybersecurity or misled them in the underwriting process.
In this sense, cyber insurance can act as a check on cyberwashing by holding companies accountable for accurately reporting their cybersecurity efforts when seeking coverage.”
Cyberwashing not only exposes the business to regulatory and legal ramifications but can also put insurance cover at risk. To reduce the risk, work with your EBM Account Manager to ensure that the proposals submitted to insurers accurately reflect the business’ cybersecurity credentials.
