Cyber resilience is #trending. But what does it actually mean?

Thanks to OPTUS, and now MEDIBANK, cyber resilience is #trending. But what does it actually mean?  Cyber resilience is one of the hottest topics around at the moment, courtesy of unfortunate incidents experienced by one of our biggest telcos and our largest private health insurer.

ASIC measures and reports on the cyber resilience of entities they regulate (which is just about every business in Australia).

So far, they have issued 3 such reports, 555, 651, and 716, and – notwithstanding the OPTUS and MEDIBANK incidents - Australia’s cyber resilience appears to be increasing (clearly there is still much room for improvement!).

ASIC measures and reports on cyber resilience using a framework developed by the US National Institute for Standards and Technology (NIST). The framework sets out 5 core functions for cyber resilience procedures:

1. Identify
Identification of the firm’s most critical assets and data, and an understanding of potential areas of exposure to cyber risks across the business (including third party suppliers such as platforms and cloud service providers).

2. Protect
The protect function involves preventative measures aimed at minimising opportunities for cybersecurity events to occur. Examples include user access management, training and awareness programs, mandatory security requirements for third party providers, and data protection policies and procedures.

3. Detect
Monitoring and time to detection of a cybersecurity event is critical to the success of a response and recovery strategy. If a cybersecurity intrusion is not detected early, it may operate undetected and access sensitive information and/or cause damage to an organisation’s internal assets. Firms should put in place the technology, procedures, and resources to detect a breach. This may include baselining normal operations so that anomalies may be detected (for instance a spike in online posting or transactions).

4. Respond
Businesses should have a response plan which addresses the roles of internal and external stakeholders, communication to impacted persons (staff, customers, suppliers, regulators and insurers), how events may be contained or mitigated and a method of analysing the breach to determine its extent and cause.

5. Recover
Businesses should have a plan which works towards timely reinstatement of systems and services impacted by a cybersecurity event, and ensures lessons are learned and applied so that overall cyber resilience can be improved. Cyber Insurance could be one mechanism that allows the business to recover with minimal disruption.

Cyber Insurance - working in concert with other essential protections such as Professional Indemnity and Directors & Officer insurance, is certainly a vital part of a cyber resilience framework. Optus has Cyber Insurance and no doubt Medibank is wishing it had renewed its policy in June. But it’s not a one-size fits all scenario, which is why expert advice in this area is essential.

Headsure is a boutique insurance consultancy, and one of Australia’s foremost cyber insurance experts. We help clients across many sectors, including those facing elevated cyber risks, such as technology, financial services, defence contracting and professional services.

With most of our clients, we work collaboratively with the other business functions and external experts involved in the company’s cyber resilience framework.

For an obligation free chat about how Headsure can help you and your business become more cyber resilient, give us a call or send us an email.