Police are continuing their investigation into the recent cyberattack on health insurer Medibank Private. CEO David Koczkar “unreservedly” apologised for the crime and pledged transparency. To facilitate full accountability and guard against future attacks, should Medibank’s cyber security providers and insurer also come forward?
Insurance Business is consulting with industry stakeholders to explore the pros and cons of transparency after a cyberattack.
“The logic is that if attackers know there is cyber insurance and who that cyber insurance provider is then the attacker will know if the attacked company is going to be advised to pay,” said O’Hara, who also co-hosts the Get Cyber Resilient podcast.
Read more: Medibank says personal data was stolen
He said revealing the cyber insurer would also inform the criminals that their victim has access to an insurance company’s cyber response team who can navigate crypto payments and help with payment of any ransom. “Even what the track record is for the insurance company on negotiating payments,” added O’Hara.
He also noted a prediction from research firm Gartner that said by 2024 three-quarters of all CEOs would be personally liable for what it called “cyber-physical security incidents.”
On the question of whether full transparency is necessary to really learn from cyberattacks, O’Hara said the companies themselves had improved their transparency, often sharing lessons learned and sometimes detailed incident reports.
“That said, it can be useful to keep some structural and investigation details under wraps to potentially avoid further problems in the future, including a secondary cyberattack,” he said.
O’Hara said it can sometimes be “reputationally sensitive” when a breach occurs through a perceived failure of duty of care. “In these cases, we may see less transparency from the attacked organisation,” he said.
O’Hara said there can be a direct link between the degree of transparency of a firm after an attack and that firm’s confidence in its cyber security plan. However, he said that doesn’t include revealing who exactly provides the cyber security and insurance.
“If you can explain what happened AND you had a strong cyber resilience plan in place there would be no expectation of finger pointing,” he said. “However, I suspect internally if there is a feeling that a cyber resilience plan was under funded or under resourced, or badly executed, then an organisation may say less about what happened?”
O’Hara said the Medibank Private attack has underlined some important lessons for insurers, brokers and their clients.
“Cyber resilience is important and is a fundamental fiduciary responsibility,” he said. “We need to move away from any version of hoping everything will be OK and ensure that planning is in place to reduce the risk as much as is appropriate for the data and systems we are protecting.”
He also said insurers should look at the risks posed through their collection of data and whether they really need to collect and store everything they currently do.
O’Hara also said cyber insurers should look at auditing the data management of the companies they insure. “Insurers estimating premiums should be looking at control presence and control effectiveness but also auditing the data management for an organisation,” he said.
According to a Medibank statement release to the ASX, a criminal has claimed to have stolen 200 gigabytes (GB) of data including customer names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
The statement also said the criminal claims to have stolen credit card security information but Medibank said that has not yet been verified.
The health insurer reported that the criminal provided a sample of records for 100 policies which they believe came from the firm’s ahm and international student systems. The stolen claims data, the statement said, included the location where customers received medical services and codes relating to their diagnosis and procedures.
Medibank also announced a trading halt in its shares until further notice.
“I unreservedly apologise for this crime which has been perpetrated against our customers, our people and the broader community,” said CEO David Koczkar. “I know that many will be disappointed with Medibank, and I acknowledge that disappointment.”