Over the past month or so, we have been reminded many times of the vulnerability we face in the nefarious activities of cyber criminals. We have seen many organisations experience cyber-attacks, the highest profile being the attacks on Optus and Medibank. The Australian public is experiencing high levels of anxiety as a consequence of these attacks.
The media has largely focussed on the response to these attacks, and that seems right given the vulnerability created in failing to secure the records of clients. There has been much criticism of Optus holding personal data and the need for legislative change, which seems a little obvious when we see how other countries throughout the world have done so over recent years. General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) come readily to mind.
It is interesting to contrast the responses of the CEOs, Optus’s Kelly Bayer Rosmarin and Medibank’s David Koczkar. The Bayer Rosmarin response certainly left its customers (and the media) making their own assumptions about the consequences to them individually in the absence of details, whereas Medibank’s CEO, possibly learning the lessons of what not to do from Optus, endeavoured to engage with its members. Unfortunately, much of what we were told by Medibank simply articulated their broad lack of understanding of the nature of the attack, including its severity. Amazing what a difference a communication strategy to keep the affected informed can make, and an obvious lesson for all organisations who might find themselves in a similar situation in the future. Unfortunately, for Medicare it proved to be far worse than initially communicated.
Until recently, there was overwhelming silence on the role of the Audit and Risk Committee in each organisation. Optus is owned by Singtel, and therefore not subject to the ASX Corporate Governance Council Corporate Governance Principles and Recommendations; notably Principle 7 (Risk Management). A quick scan of the Singtel website finds very little corporate details on Risk Management, although there is a Risk Committee.
Medibank, as an ASX listed company has specific obligations in respect to corporate governance principles and listing rules. It too has a Risk Management Committee, the Charter being available on the Medibank website, in which the Role of the Committee is very clearly provided:
The role of the Committee is to assist the Board by providing an objective, non-executive oversight of the implementation and operation of Medibank’s risk management framework, and compliance by Medibank with the Australian Prudential Regulation Authority (“APRA”) Prudential Standard CPS 220 Risk Management, to ensure that risk taking in Medibank is conducted within reasonable bounds and that financial and non-financial risks are clearly identified and well managed. In fulfilling this role, the Committee will – in accordance with Medibank’s purpose, values and Code of Conduct – have appropriate regard to customer and community interests and expectations.
Medibank’s Corporate Governance Statement (also available on the website) provides lots of words about Risk Management, importantly (and correctly) noting that “The Board has overall responsibility for Medibank’s risk management framework including setting the risk appetite for Medibank”. The report talks specifically to the ASX recommendations in stating that “during the year, Medibank had in place policies and practices which comply with the recommendations of the ASX Corporate Governance Council Corporate Governance Principles and Recommendations (CGPRs).”
The media has reported Medibank’s Chief Financial Officer (Mark Roger) attributing the high cost of insurance as the reason why Medibank chose not to buy cyber insurance cover. Quite right, the cost of cyber insurance has risen significantly over recent years, the increases being attributable to a hard insurance market cycle, and (critically) the increased risk to insurers. Many organisations have been unable to buy such cover as they simply fail to meet the required level of controls demanded by insurers. This comes down to a question of assurance v insurance, and one has to assume that the Board / Risk Committee had the appropriate level of the former to make such a decision. If the decision was based solely on the cost of insurance and not on the effectiveness of controls to both prevent the cyber risk from arising, and to mitigate the consequences if it did, the Risk Committee hasn’t done its job.
Medibank’s Sustainability Report 2022 lists “Heightened cyber risk associated with the geo-political environment” as an emerging risk. For completeness, the report defines emerging risks as ”those that we are monitoring that could have the potential to become material risks in the future”.
What we continue to see in corporate reporting is form over substance. Sustainability reports have a lot of great information about all the wonderful things organisations do for their employees, the customers and the broader community. But what do we know about the substance of their reports? Risk Management, Principle 7 of the long established CGPRs is a particularly good example – we know that many organisations simply do not have effective risk management, but they satisfy the reporting requirement year after year. There is no accountability for the substance of the declarations.
If ASX and other regulatory bodies deem such declarations to be important, then surely there is an obligation to ensure they are backed up by substance. If you read a sustainability report and take it all face value, isn’t there a risk that you are being lulled into a false sense of security about exactly what the reporting organisation might really be doing? Risk management needs to be effective, and its high time it was verified as being so.
The last thing we need in Australia is more regulation. Perhaps what we need is a serious rationalisation of reporting, and a change in focus to substantiation of what is being fed to investors and other key stakeholders. Substance over form.
Cyber Risk is one of many risks that all organisations face. Yes, it can definitely have very serious consequences as we have seen. In context, it’s unlikely to get better given it’s an arms race with the bad guys, and they have better resources and so many targets to choose from. The media seems to be advocating for more stringent requirements around identification and management of specific threats, rather than understanding how such threats fit into the bigger risk management picture. How organisations go about assessment of cyber risk is no different to how they should go about assessment of other risks within the organisation. It is a core responsibility of the Board to ensure the risk management framework and function are effective, but it’s hard to see how that could have been satisfied in light of the severity and poor response to these attacks. Perhaps it is time to consider some Board refresh that introduces real risk management expertise and experience where it’s needed most?
Photo by Franck on Unsplash