Back to Insights
At the time of writing, the Medibank data theft saga was continuing to unfold (Optus must be thanking their lucky stars), and news outlets were reporting that the health insurer could face a compensation bill of over a billion dollars. When you consider the billions wiped from their share price since the hack first became public, we are starting to see that – when it comes to cyber risk management – the price of failure is a steep one indeed.
Between the Medibank and Optus incidents, there has been no lack of observers – ‘expert’ and otherwise – willing to join the massive pile-on (some of it undoubtedly deserved). But as the dust appears to settle – just a little – now is the time to seriously ponder what lessons can be learned from the two cases, to help avoid similar debacles going forward.
For what it’s worth, here are some of my initial thoughts:
1. Prevention is better than cure
Having a comprehensive, well-planned, well-resourced disaster recovery plan in place is great, but you’d prefer not to need to ever use it. Dealing with any kind of unauthorised access to a computer system is difficult, time-consuming and expensive – it’s even worse if sensitive data has been stolen. The primary focus always needs to be on stopping it in the first place, and disturbingly, there are some simple actions that can be taken on this front that many businesses seem to neglect.
2. MFA – at all stages - is a no-brainer
The Medibank breach was apparently committed by a threat actor who purchased on the dark web, the credentials of an individual with privileged access to Medibank’s internal systems. Once inside the threat actor was able to access and exfiltrate sensitive customer data. It has been suggested that access to that sensitive customer data did not require Multi-Factor Authentication – if it did the breach might have been avoided. Many organisations have implemented MFA for employees and contractors remotely accessing their computer network but have not implemented MFA as a requirement for executing privileged actions. This can and should be done.
3. Is Cyber Insurance really optional?
Medibank decided not to renew its Cyber Insurance in June 2021. Perhaps they thought it was too expensive, or perhaps they though it was unnecessary having decided never to pay a ransomware demand. But ransom payments are only part of the problem - the forensic IT, legal, regulatory, and other costs incurred in dealing with the breach (which are in addition to the $1 billion in compensation that might be payable to the customers and shareholders which have commenced class actions) will run into millions and will be an uninsured loss that hits the Medibank bottom line (ouch).
There is no doubt that the cost of Cyber Insurance has increased significantly for some sectors and for good reason. Statistically, the health sector has long been the number 1 target for cybercriminals, due to the sensitive nature of the data involved. In turn, this has seen the sector as the number 1 source of insurance claims globally.
Given it is impossible to make any computer system or database entirely secure, you start to realise what an extraordinary decision Medibank made not to renew its Cyber Insurance. Any argument that this observation is made with the benefit of hindsight just doesn’t wash and if I was a shareholder, I would be very disappointed. They clearly got their cost-benefit analysis wrong on this occasion.
4. Risk prevention must address the human element
Preventing a cyber incident from happening requires technical advice, services, and tools from IT security specialists, but even with the best IT security controls, human error continues to play a significant role, contributing approximately 30% of total loss payouts for Cyber Insurance globally. This is why insurers always ask about staff cyber awareness training in their proposal forms – when was the last training session conducted and when is the next one planned? Insurers like to see that this training is being conducted every 12 months at least.
5. Post-incident response is critical
If your business suffers a cyber incident, you are going to need expert help dealing with it and getting your business back up and running as quickly as possible.
One such area that both Medibank and Optus could have benefited from such advice is communication and crisis management. I have to say as an observer, and a customer, the communication from both companies was underwhelming. Vague, evasive, late - and in some cases just plain inaccurate – it would not surprise me if these become future case studies about what not to do.
It's worth noting that Cyber Insurance typically provides cover for costs incurred by the insured when engaging PR/Crisis Management consultants to assist in managing communications following a cyber incident.
6. Regulatory exposure is increasing
In addition to the costs and liabilities referred to above, Optus and Medibank have to worry about what regulatory consequences they might be facing from the likes of ASIC and the Office of the Australian Information Commissioner (OAIC). This will involve the incurring of more legal and other costs and possibly the payment of fines or penalties.
Regulatory action over privacy breaches has been muted in Australia compared to other jurisdictions but that seems unlikely to continue in the wake of these two major data breaches which also provided tailwinds for the passing of The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which increases the maximum penalty for serious or repeated breaches from the current $2.2m penalty to whatever is the greater of:
- $50m
- 3 times the value of any benefit obtained from misuse of information
- 30% of a company’s adjusted turnover in the relevant period
The Bill also provides the OAIC with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers.
7. Reputational damage can have a financial impact
Of all the numbers bandied around, one cost that hasn’t been mentioned – and which is largely intangible – is the cost to the brand reputations of Medibank and Optus. Reputations are hard earned but easily lost, and both firms may find the road back is a long and hard one (and not one easily fixed with a simple advertising campaign). Brand damage can also lead to negative financial impacts on the business – and some Cyber Insurance policies provide cover for ‘reputational damage’ caused by a cyber incident.
We will never be in a position where cyber-attacks and data breaches are a thing of the past, so our only option is to get better at preventing them from happening and mitigating the impacts when they do. As unfortunate as the Optus and Medibank sagas are, hopefully they have provided us with lessons that will help us to become a more cyber-resilient society. And therein lies the silver lining.
For an obligation free chat about how Headsure can help you and your business become more cyber resilient, give us a call or send us an email.