Lockton cyber expert outlines ways breach will cost Optus
This month’s cyber breach will have significant fiscal and resourcing implications for Optus, as well as intangible costs such as reputational damage, Lockton Companies Australia says.
Optus revealed the personal information of millions of current and former customers, such as email and home addresses and licence and passport numbers, was stolen from its records earlier this month.
Lockton Cyber & Technology Manager Mark Luckin tells insuranceNEWS.com.au the impact on Optus can be categorised into four broad categories: immediate, long term, tangible and non-tangible.
From an “immediate and first party standpoint,” the cost of tech resourcing, legal and public relations work will be significant, he says, as will the resources required to be dedicated to “dealing with aggrieved customers”.
Additional costs like credit monitoring will add to the significant exposure.
From a longer-term liability standpoint, he says Optus is fortunate that Australia’s Privacy Regulatory scheme has a fairly limited maximum associated fine for data breaches.
"What this event has done – for better or worse – is drive the immediate need for change in this area. We expect other regulators to launch their own proceedings which will attract associated costs,” Mr Luckin said, adding that costs for associated management exposures will also have to be met.
Cyber insurance could have played a significant role in the Optus incident, particularly the incident response panel provided by the insurer, Lockton says. These experts would have also brought “immense value” via independent insight, advice and strategy which in the immediate aftermath of an event “can be worth its weight in gold”.
These services include threat-actor negotiation, experience in analysis of large data sets for evidence of compromise, privacy and other regulatory advice, or communications strategy/media exposure guidance.
“The internal incident response capabilities from Optus would undoubtably be significant, however there would have still been value in utilising the expertise of the panel vendors who would have experience in dealing with a similar set of circumstances,” Mr Luckin said.
Longer term, a cyber insurance policy would likely respond to associated legal costs under privacy-related regulatory action, which he says “seems likely”.
Mr Luckin says a policy’s ability to respond to broader regulatory action would depend on the nature of the wording and definitions, and warns that insurability of fines and penalties and associated legal costs remains contentious.
Though insurance policies that broadly provide cover for fines and penalties have been available in Australia for some time, Mr Luckin also says it is widely believed any policy that provides an indemnity for a pecuniary/criminal penalty would be void and unenforceable for being against public policy and the “extent that these policies extend to cover pecuniary or criminal penalties, and the legality of affording such cover, has always been uncertain”.
"There have been no specific cases addressing this, so these policies have been able to exist as they have been offered by insurers and not challenged by the beneficiaries of the policy,” he says.
Separately, Optus’ Directors & Officers (D&O) policy is likely to play a role for liability issues arising from obligations of care and skill under the Corporations Act, which requires that directors guard against key business risks – including cyber.
Mr Luckin says brokers have a vital role to play in educating organisations of the importance and role cyber insurance plays, whilst not pushing it as a “silver bullet or substitute for good cyber security posture and hygiene”.
“If this event has taught us anything, it's the ongoing need to address the broad spectrum of cyber risk from a number of differing and complementary avenues,” he said. “The cyber community needs to continue working together to propose solutions around identification, mitigation and transfer of cyber risks.”
Mr Luckin also says aside from the tangible impacts, reputational impact to Optus will be difficult to quantify.
“It can be assessed to a degree – that is lost customers – but what will be the ultimate cost of damage to reputation, through loss of trust and lost potential customers etcetera remains to be seen,” he said.