The impact of the recent wave of breaches is evident at the ANZ Banking Group, namely: recruitment an “incident communications consultant – technology, cybersecurity and data” whose primary role will be to “keep ANZ’s customers and employees informed… during major technology, cybersecurity incidents, data regulatory events and planned outages.”
Based at ANZ’s headquarters in Docklands, Melbourne, the role involves developing and testing strategies for communicating with affected customers and other stakeholders during and after incidents, for example preparing public statements and key messages for dissemination to the public and to staff through the bank’s intranet, Yammer, email, and other communication channels.
It also includes acting as a liaison between the engineering staff within ANZ’s Command Center (Technology) and the Data Event Response Team, and business leaders who need to stay abreast of revelations of ongoing breach investigations.
The Commonwealth Bank of Australia (CBA) is also strengthening its cybersecurity team, calling on several staff members this week with the title senior manager cyber defense GRC and findings management – specialized cybersecurity analysts responsible for evaluating the relationship between cybersecurity issues and the bank’s governance, risk management and compliance (GRC) obligations.
That means evaluating the business risk of “critical security findings,” identified by the penetration testing, red teams and blue teams — teams within the CBA’s Cyber Defense Operational unit that regularly examine the bank’s security architecture — and working with business leaders to explain and manage their impact in plain English.
Hiring cybersecurity specialists to connect engineers, staff, business people and the public is a new approach for a business community that has typically relied on corporate communications personnel to handle incident responses.
Such staff work frantically behind the scenes to manage stakeholders, but previously provided little more information than sporadic, succinctly worded website updates that often take months or more. years later the break.
The magnitude of recent incidents – including the “disturbing” and still evolving Medibank data breach, as well as the recent breach of Optus’ customer data, each involving many millions of Australians – appears to have changed the story.
Kelly Bayer Rosmarin, CEO of Optus, took the bull by the horns early on and was at the forefront of the media the day after the discovery of that company’s data breach, which contained the sensitive identity information of at least 2.1 million Australians.
“We are informing customers as quickly as we can, in a very different way than has been done in previous cyber attacks,” she said.
“We know that time can be of the essence in these situations, so we reached out to the media less than 24 hours after learning that this incident had occurred.”
“Our head-on approach and the speed with which we’ve responded to this doesn’t allow us to have all the answers — but if you ask, I’ll tell you everything I can.”
Such public meaculpas by CEOs have been rare in the past, but amid data breaches’ growing intensity and influence — and a regulatory climate that pressures executives to personally invest in cyber issues — it seems Bayer Rosmarin’s repeated apologies are setting a new standard for incident response.
David Koczkar, CEO of Medibank, has publicly taken a similar approach to apologize and admit that “this latest disturbing update will concern our customers… [but] we have always said that we will prioritize responding to this matter as transparently as possible.”
Even as the company revealed more and more “disturbing” details about the hack — including recent revelations that hackers sought to negotiate the stolen data and that all of its 3.9 million customers’ data had been compromised — the federal government promoted a policy that would increase dramatically the fines that breached companies can receive.
Professionalizing the management of breach disclosures early on can prevent the advancing chaos that can engulf companies once a breach has been made public – and which, along with the increasing GRC burden on executives, could lead to communications specialists for cyber incidents.
“In the wake of a cyber attack, there are many moving parts,” noted security firm Cymulate in a report detailing the results of a worldwide research of 858 senior executives who found that 22 percent of companies “will have to deal with the regulatory mandate of disclosure, which could cause even greater harm if not handled with sensitivity and expertise.”
In 39 percent of cases, the survey found, security teams are required to engage outside legal, finance and C-suite specialists “to deal with the consequences,” with 35 percent of respondents noting the importance of deal with external advisors in violations.
Planning a coherent response to breaches well in advance and meeting regularly to reinforce it generally resulted in fewer breaches among survey respondents.
Indeed, in companies where leadership and cybersecurity teams met at least 15 times a year, no breaches were reported.
In contrast, Cymulate found that companies that met less often — on average, less than 9 times a year — reported 6 or more breaches in the past year.
“A reactive approach is an expensive gamble,” the company noted, “and being proactive on cybersecurity could eliminate these additional costs altogether.”