November 2022 Blog
Government and Private Sector Cooperation in Cyberdefense and the Impact on Your Organization
As 2022 draws to a close, we are seeing an emerging trend in the cybersecurity industry: the emergence of much more stringent laws and associated penalties for cybercrime and data breaches. In many cases, these measures are being initiated by governments based on the following compelling events:
- A perception by governments that cybercrime affects national security, particularly in the telecommunications, critical infrastructure, and health sectors as many perpetrators of these crimes are state actors from unfriendly nations.
- A perception by governments that the private sector is not sufficiently motivated, either positively by the benefits of strengthening its cyberdefenses, or negatively by the weak penalties in place for data breaches.
- A genuine desire by governments to implement pro-active measures to ensure data privacy and confidentiality of personal data of its citizens.
There have been many high-profile cases of data breaches in the press lately and, as an example of the acceleration of incidents, the ratings agency Fitch has published the following in support of tightening laws and penalties with regards to cybercrimes (example refers to Australia and the impact of cybercrimes on its credit rating, see https://www.fitchratings.com/research/corporate-finance/australias-recent-cyberattacks-to-shape-laws-regulations-risk-management-03-11-2022)
“More cyber events are inevitable, despite ongoing efforts to toughen laws and tighten cybersecurity. The rating impact of cyber incidents depends on the severity of financial, operational and reputational damage while considering the effectiveness of disaster recovery and business continuity plans…a cyberattack that exacerbates existing rating sensitivities, such as prior cyber vulnerabilities, or if the breach causes an outsized financial impact or sustained business interruption could have a negative rating impact.
The other recent major data breaches disclosed since August have affected entities across multiple sectors in Australia and resulted from uncoordinated attacks. The frequency and severity of these incidents carry significant implications, including ransom losses, lost business, operational interruptions, increased counterparty and reputational risks, and customer attrition, among others. Consequently, cyber insurance has become an essential tool for companies in tackling such risks globally.
Additional costs, such as data restoration, investigation and response, and regulatory and legal fines, are common following cyber events. For example, Medibank announced a cybercrime customer support package that offers various assistance, such as financial support for hardship and reimbursement of specific fees, for affected customers. These incremental expenses add additional economic impact and are likely to incentivise more Australian organisations to embed cyber insurance coverage in their risk management frameworks, despite the rising premium rates, in our view.”
Multiple Major Cyber Security Incidents in Australia since August 2022
Company Date Affected Customers
Medibank Group Oct-22 3.9 million customers
MyDeal (owned by Woolworths Group) Oct-22 2.2 million customers
Singtel Optus Pty Limited (BBB+/Stable) Sep-22 9.8 million customers, including valid or expired ID document numbers for 2.1 million customers
Costa Group Aug-22 About 10% of the data in one of its servers
The Dialog Group Sep-22 20 clients & 1000 current/former employees
Telstra Sep-22 30000 past/present employees’ information
Medlab Pathology Feb-22 223,000 patients and staff
Source: Fitch Ratings, company disclosures, media reports
As can been seen by the table above from Fitch, the frequency and severity of data breaches in Australia has accelerated and deepened. It should be assumed that the same is occurring elsewhere and, in fact Indonesia recently uncovered a data breach affecting more than 100 million of its citizens (see https://www.reuters.com/technology/indonesia-investigating-alleged-data-breaches-state-owned-firms-2022-08-22/ regarding Indonesia investigating alleged personal data breaches at state-owned telecoms firm PT Telkom Indonesia’s internet service IndiHome and state utility PT Perusahaan Listrik Negara (PLN)).
It is an undisputed fact that these breaches and cybercrimes are occurring with increasing frequency and therefore the inevitable consequence is that governments are mobilizing to address these compelling events.
So what is the impact on your company of these impending and more stringent government regulations? A summary of the impact can be postulated below:
- Companies will be forced to disclose breaches under penalty of law.
- Companies will be forced to rectify and improve their cyber hygiene under penalty of law.
- Companies will be exposed to significant commercial risks from lawsuits and penalties from individuals and/or entities that are affected by cyber breaches – the impending government laws will only increase the legal risk to companies if they cannot show evidence of cyberdefense measures being implemented.
- Companies may suffer reputational and credit rating damages from cyber incidents.
- As in ethics and non-discrimination laws in force in many countries, for full compliance with cybersecurity laws company directors and owners will be required to certify their compliance and demonstrate that they took all necessary steps to adequately defend against cybercrime (including cybersecurity awareness training for their staff and appropriate cyber hygiene policies).
Given these current and future imperatives on companies and individuals with fiduciary responsibilities, governments will not hesitate to transfer the accountability to the private sector for compliance. This will cause companies, whether voluntarily or otherwise, to see cybersecurity as an investment and not a cost.
As we have seen in the ethics, non-discrimination, diversity and sustainability awareness initiatives in recent years, companies will be forced to comply with upcoming cybersecurity laws. Advanced and forward-thinking companies will see these initiatives not as costs, but as investments that provide a sustainable competitive advantage to them vis-à-vis their competition.
We therefore earnestly encourage you to engage with us here at OmniSecuritas Technologies to discuss how we can help you develop a comprehensive multi-layered cyberdefense strategy that will not only comply with existing laws but also anticipate future requirements. Please reach out to us at [email protected] or visit our website at www.omnisecuritas.com.ph