Could the Optus breach been avoided?
Optus was hit with a “basic” cyber attack that should not have happened to a company of its size and resources. With over 9.8 million people potentially affected (that’s almost half the Australian population), Optus should have had data encryption in place as well as closed and protected API’s and adequate cyber security practices to prevent any breach.
It’s a big no-no to store production data in a test environment and almost all security frameworks say to keep the data separate. So it’s clear Optus have a lot of work to do on their cyber security practices.
Whilst Optus looks backwards and the Australian Government lays blame, the state of Optus’ security defences reflects poorly on the business.
Most businesses are underprepared
According to the Actuaries Institute, in Australia, a cyber crime was reported every eight minutes over the past financial year – an increase of 13% on the previous year. Reported total economic losses in the year amounted to $33 billion, impacting government and the private sector, all sizes of organisations – from SMEs to the largest corporations – across industries and disrupting supply chains.
Globally, 623 million ransomware attacks were recorded in 2021. That is 20 attacks every second and more than triple the number recorded in 2019.
Best practice in cyber risk management is for companies to undertake scenario planning to consider the possible outcomes from a cyber attack. Organisations that undertake proper scenario analysis for cyber put a financial value on both the tangibles, such as forensic investigation costs, and the intangibles, such as damage to brand reputation.
One of the natural outcomes of scenario planning should be taking out cyber insurance.
NewSure General Manager, Brett Edmonds says the Optus breach has shown every business owner in Australia how important cyber insurance coverage is to safeguarding their business.
“The Optus cyber attack has been another eye opener – another example of how wrong things can go for a major corporate,” said Edmonds. “But if you’re prepared and know what your insurance will cover, you’ll better navigate the long-term impact and what steps you may need to take to rebuild your company,” he says.
Cyber insurance coverage
The evolution of cyber insurance means there is no one standard cyber insurance policy.
Typical cyber insurance policies protect businesses against:
- Business interruption losses
Covers financial loss you may suffer as a result of a cyber attack
- Cyber extortion
The costs of a cyber attack, such as hiring negotiation experts, covering extortion demands and prevention of future threats
- Electronic data replacement
The costs of recovering or replacing your records and other business data
- Security and privacy liability
Damages to your reputation resulting from data breaches, such as loss of third-party data held on your system
- Defence costs
Funds the legal costs of defending claims
- Regulatory breach liability
Covers legal expenses and the costs of fines arising from investigation by a government regulator
- Electronic media liability
The costs of copyright infringement, defamation claims and misuse of certain types of intellectual property online
- Crisis management expenses
Provides cover for the costs of managing a crisis caused by cyber hackers
- Notification and monitoring expenses
The costs of notifying customers of a security breach and monitoring their credit card details to prevent further attacks
Compared with more traditional forms of insurance, cyber insurance is a relatively new product covering a rapidly evolving form of risk, which has arisen from technology. This evolution means the exact cyber insurance coverage varies between insurers, and so it is critical organisations understand their risks and ensure covers are tailored to their needs.