Cyber-attacks will impact us all, and regulators are making it clear they agree

By Tim Field

Cyber-attacks continue to rise in number and sophistication

The astounding statistics vary but expert analysts estimate between 2,000-4,000 cyber-attacks occur every day with a company falling victim to a ransomware attack every 14 seconds.

While phising attempts, where someone opens a suspicious email or clicks a link allowing hackers access to systems, remain a dominant point of weakness, other more sophisticated routes in are increasing too. The recent MOVEit hack, which has affected at least 150 major companies world-wide exploited a loophole in the software allowing the hackers access to data for an unknown period of time without an alarm being raised. It has compromised the data of an estimated 15.5 million individuals.

In October last year, Medibank, one of Australia’s largest private medical insurers, suffered a major cyber attack resulting in the publication of vast amounts of highly sensitive personal information concerning 9.7m individuals including patient treatments, financial records and contact information. When Medibank refused to pay the ransom, the hackers, in a truly awful way, prioritised the leak of details of patients who had undergone treatment for drug and alcohol addiction, mental health issues or pregnancy related care.

Instinctif’s analysis of coverage of MOVEit using SignalAI (below) highlights the damage to its brand. A software product which was operating quietly behind the scenes and presumably delivering a healthy recurring revenue for its owner Progress Software, suddenly became a reputational disaster. The speed and scale of the escalating negative coverage of MOVEit is damagingly significant and wiped 12% off the company’s share price in two weeks. Mentions soared to the equivalent of three a minute over a 24-hour period when the hackers published the names of companies whose data they had been able to extract. Six weeks on from the discovery of the breach, and the reputational impact shows little sign of easing as there have been more mentions in the first two weeks of August than the first five months of the year.

The stakes are costly, and high

The reality for major companies is that, while they are undoubtedly a ‘victim’ of an attack, claiming victimhood is increasingly difficult in the eyes of the true victims – those people whose personal data has been stolen or their finances compromised. This issue of how the company is perceived is not just relevant for its customers, but regulators too are changing their views of data breaches.

This summer the Australian Prudential Regulation Authority became the first to take the regulatory action of imposing an increase in Medibank’s capital adequacy requirement of $250m due to “weaknesses identified in Medibank’s information security environment”. A class action lawsuit was launched by victims earlier this year too.

In the UK, an attack on outsourcing group Capita in April resulted in The Pensions Regulator writing to more than 300 funds asking them to check if their customers’ details were compromised by the hack. It issued a statement reminding pension funds of their obligations and suggesting actions they should take. The statement ended with a promise of ongoing scrutiny: “We may engage with you further to understand the steps you have taken and what progress you have made.”

As ever, how a company is perceived to be handling a crisis often impacts its reputation as much, if not more than, how it actually performs. Regulators are inevitably a key stakeholder in influencing perception, and the need to satisfy their expectations has costly implications for companies who are ill-prepared for cyber incidents.

Prevention alone is no longer sufficient as a strategy

Financial institutions need to recognise the reality that it is a case of when, not if they suffer a cyber attack. This makes mitigation of cyber risks more critical than ever and the preparation for how to respond to and manage the scrutiny around an attack essential. Regulators are making a point of reminding companies they can’t obfuscate their responsibilities. Your employees and customers will be sure to remind you the same applies to how you communicate about their data.

As a business, your hardest earned and easiest lost asset is your reputation. Lose the trust of people who give you their personal, financial, health and family details and that reputation could be damaged forever. In the early stages of a cyber crisis, as like any other, most people will accept that there will be uncertainty or a lack of some detail. What won’t be acceptable to customers, employees, business partners, the market, and now regulators is a lack of preparedness and an inability or unwillingness to communicate effectively as the crisis continues.

Your IT and Information Security teams will be planning for a cyber attack; why aren’t your communications, finance, HR and customer contact teams doing the same? Have you scenario-planned and are your calming key messages and reassuring responses already in place? Would you even be able to communicate with restricted access to your systems? Do your Board and ExCo understand their roles and the restrictions that will be placed on the business as teams grapple with extreme difficulties against a ticking clock under intense scrutiny?

These are key questions that will be asked once a cyber attack is underway; no sensible business should wait until then to answer them.

Prepare or suffer more than just the attack itself

Financial institutions have a duty to protect their own investments and those of others who entrust them to make sound decisions that increase their value. The reality for businesses is clear: acting now to prepare will save time and money in the long run, and reduce both the reputational and regulatory impacts.

If the damage to other companies who have suffered a cyber attack isn’t a sufficient catalyst to prepare, then heed the warnings of regulators and their expectations. Tolerance of mismanagement is low and the tolerance of a poor response is even lower. When hit by a cyber attack, you will be judged on the impact on and perception of the real victims.

What can your business learn from others?

1. Regulators are taking an increasingly dim view of companies who have failed to prepare with the use of financial penalties and implications growing
2. Corporates who suffer a cyber attack are viewed less as victims themselves with a focus on the true victims and media scrutiny of corporate failure
3. Technical prevention is critical, but it is not itself sufficient to protect your hardest earned and easiest lost asset – your reputation and the trust your clients have in you

To bring clarity to a complex topic, Instinctif uses a proprietary diagnostic tool, CyberOptic, to help you benchmark your organisation’s current response plans against best practice.

To find out more and let our experts help protect your reputation against the risks of cyber-attacks, get in touch via riskandcrisis@instinctif.com.