Cyber protection: making sure your communications, insurance and defence plans are ready
Cyber security has never been more topical, with frequent reports of high-profile data breaches and cyber issues making the news. Companies are being urged to invest in cyber, to examine their security systems and to simulate cyber attacks to strengthen their defences.
Beyond the IT issues, there are legal and communications issues to consider. What should you do if you identify a suspected or actual cyber incident? Which regulators do you need to contact? Should you pay a ransom demand? Will cyber insurance protect you? And how do you best communicate to customers and other stakeholders if a cyber incident occurs, given the high stakes and speed at which a crisis unfolds?
My company has suffered a data breach. What should I say?
Getting the message right during any crisis is critical. But it is more complicated during a cyber incident, where investigations are underway, facts are still being uncovered, and it can be difficult to know what data has been breached and how many customers are affected.
It is a nightmare scenario for any business, according to Porter Novelli Australia CEO Rhys Ryan.
‘It’s an incredibly high-stakes situation. You don’t know the full extent of the breach. You might not know the full extent of it for days or weeks, or in some cases never, but everyone is demanding definitive answers,’ Rhys said.
Rhys recommends that business leaders never make definitive statements, particularly in the early stages, and ‘flood the zone’ by continually updating all relevant stakeholders, including regulators, the media, customers, the company’s website and social channels, and being disciplined about what is said.
‘You should never say a single sentence about the incident that doesn’t include the phrase “It’s important to stress the investigation is ongoing” or “Right now, we don’t see any evidence of that but our investigation is ongoing”. Most companies try to do the right thing and update the market but then they’re taken out of context and accused of changing their story.’
Do I need to include communications in my cyber defence strategy?
The short answer is yes, says Rhys. Companies need a specific plan to deal with cyber security issues and communications must be included.
‘If you have to unplug your system, and you’ve had a ransomware attack take down your active directory, you can’t even call each other. Then you might say “Let’s get a Teams meeting going for the crisis response team” and the next question is “Well, how do we tell people to come? We can’t email them. We can’t call them”.’
For this reason, Rhys said it was vital that companies simulate cyber attacks so they can find weak spots in their response plan and fix them. The communications response was often overlooked in such simulations but was essential to include, particularly because cyber incidents have such a damaging impact on reputation.
‘Having a good contingency plan in place is really what stands between you having a catastrophic response to a data breach and a decent response.’
Will cyber insurance protect me?
Michael Parrant, Client Director and Cyber Insurance Practice Leader at global risk advisor Aon, recommends that companies purchase standalone cyber insurance, rather than trying to rely on crime or other insurance policies.
‘There’s an acceptance that you can’t reduce your cyber risk to zero. But there are a lot of things that organisations can do to mitigate their risk based on the size and type of business you’re running. Insurance is a really important part of the risk landscape,’ he said.
Michael said recent high-profile data breaches, such as Optus and Medibank, had prompted many companies to question whether they had the right insurance and the right limit in place.
‘The major issue we’ve seen is this slow evolution of silent cyber, which is cyber risk that permeates across multiple lines of insurance. The market is now driving an absolute wedge between what companies want to do from a cyber risk perspective under non-cyber insurance policies, and this is causing organisations to sit down and pay attention. Getting this right is an absolutely critical thing for directors to undertake on behalf of the business.’
Michael recommended that businesses map the potential risks and scenarios to current insurance policies to see whether the business was adequately covered.
He said cyber insurance policies often received a bad rap in the media, with many headlines and stories reporting that cyber breach claims had been rejected by insurers. But he said this often wasn’t the full story.
‘I’ve seen firsthand the way that cyber insurance can save companies or help them through the hardest time. The key takeaway is that if you want cover for cyber and cyber risks, get a standalone cyber policy and understand exactly what is covered under that policy.’
Will a cyber attack simulation really help me?
Simulating a cyber attack is absolutely essential, says Shane Bell, cyber partner at McGrathNicol.
‘We need to build a high degree of comfort in dealing with incidents. Part of your resilience strategy has to be building muscle memory around being comfortable in an incident, not a crisis, because if you manage the incident well, it doesn’t always end in a crisis,’ he says.
‘I see far too many times organisations are highly stressed in an incident response scenario or a crisis management scenario because they just haven’t contemplated this before. Or they have, but they’ve never used their plan, or they haven’t stress-tested themselves.
‘These incidents will always be emotionally charged but part of the shock is avoidable if you test yourself appropriately beforehand.’
A silver lining for companies other than Optus and Medibank is that these high-profile attacks have pushed the importance of cyber security to the forefront of people’s minds. Shane said there was a lot more Australian businesses could be doing to adequately prepare themselves against an attack.
‘Far too many times, I’m called into deal with incidents and this all seems pretty new for people. They’re talking to people for the first time, or they’re dealing with a plan that they’re not familiar with, and they’re making decisions that they haven’t rationalised beforehand, such as whether to pay a ransom. There is absolutely much more to do across the Australian business landscape to build a greater level of resilience into incident preparedness and response.’
Tune into season 2 of our series of Cyberzone podcasts in 2023 for more insight into how to prepare your cyber defences and how to deal with the legal, insurance, IT and communications issues caused by a cyber incident.
You might be also interested in...
Cyber | 29 Nov 2022
In this article, we focus on cyber security, particularly why data breaches spike during the festive period, scams to watch out for and how the sector can best prepare itself for a data breach.
Cyber | 11 Nov 2022
Deepfake technology is becoming increasingly sophisticated and is attracting interest from the gaming and entertainment industry. What are the legal risks associated with its use?