Medibank: Who is responsible for cyber security?

Medibank: Who is responsible for cyber security? | Insurance Business Australia

Medibank: Who is responsible for cyber security?

On Tuesday, Medibank Private released a new statement that said it was clear the criminal responsible for the cyberattack had taken additional customer data. The private health insurer described this as a “distressing development.” Australian police are investigating the attack that was detected by Medibank nearly two weeks ago.

Insurance Business is consulting with industry stakeholders to explore the pros and cons of transparency after a cyberattack.

Darren Hopkins (pictured above), cyber partner at McGrathNicol Advisory, has helped 100s of firms with cyber insurance deal with cyberattacks. He’s deployed by insurance companies on digital forensics incident response teams.

Hopkins explained to IB the likely chain of cyber responsibility at a firm like Medibank in terms of IT security, attack response and the role of the cyber insurer.

“Leading up to an incident your insurer has no part to play other than having your back in the case where there is an incident and being ready to help you respond,” said Brisbane based Hopkins. “Insurers will have a range of expert teams that generally don’t get much exposure to the client, other than maybe some onboarding early on to get to know them.”  

Read more: Medibank CEO apologises, should his cyber security providers also fess up?

Hopkins said for many businesses, like Medibank, managing cyber security starts with the board. 

“The board is going to need to endorse a set of programs, budgets and initiatives in order for a business to have appropriate information security controls, teams and systems for managing their cyber risk,” he said.

Early in the ongoing Medibank case, CEO David Koczkar released a statement where he “unreservedly” apologised for the crime perpetrated against his customers

“Often your executive and the CEO tends to be the person that is put forward when it all goes wrong but the size of the business determines who else they have in play there,” said Hopkins.

Medibank has more than 3.5 million customers.  

“Larger businesses will have a chief information security officer, a chief information officer, and potentially a chief technology officer,” said Hopkins.

He said these three senior technical leaders were responsible for the technology and the security of an organisation and run teams that manage that.

“That’s quite a mature structure and the largest businesses would expect to have that, so certainly Optus and Medibank,” he said.  

Moving down in size, a mid-tier SME business, much smaller in scale than Optus or Medibank, may just have a head of IT or a CIO.  

“Often they don’t actually have dedicated security people because they are hard to get and expensive so they may outsource some of that requirement,” said Hopkins.

Some firms, he said, insource everything and do all their own IT and cyber security.

He said some small, medium and large sized businesses also involve third parties in various parts of their IT security. Some of them outsource all of their IT and the security and have a small internal team to manage the arrangement.

This can mean outsourcing cyber security to a big IT company that has particular software it uses to try and prevent attacks.

“Many companies do that and there are a number of big vendors out there that provide security software and also the mechanism for supporting a breach,” said Hopkins.

These IT firms have a security operations centre and managed security providers. 

“When building an incident detection capability, there are two key components: the Security Information and Event Management (SIEM) which collects data and events for monitoring,” said Hopkins, “and the Security Operations Centre (SOC) which monitors the SIEM for incidents 24/7.”

He said this combination helps detect issues in real time before they become a breach.

“So you would like to think that they pick something up quickly and then deal with it quickly but unfortunately, sometimes you can’t prevent an incident,” said Hopkins. “For example, if somebody makes a mistake and approves a third-party gaining access to their email account - we see this all the time.”

Read more: Medibank says personal data was stolen

In terms of who should take responsibility for an attack, he said IT vendors wouldn’t be putting their hand up to take responsibility at the start.

“Vendors can only monitor what they have access to by way of the systems and data you’re giving them access to,” said Hopkins.  “So then, where is your point of responsibility? Is it the third-party not doing their job? Or is it the internal team holding them accountable?”

Hopkins said that sometimes cyberattacks are the result of known issues that get exploited by the attackers.

“Businesses know that they haven’t got adequate detection systems in place, they know they haven’t got a particular type of technology in play that would help them be more resilient or stop an incident,” he said.

One reason those issues exist is because finding enough internal support to fix them is difficult given the high cost of IT security.

After a cyberattack, experts like Hopkins investigate and prepare a report explaining what happened, what failed and the response.

“A business will have a very clear view, in most cases, as to why the incident occurred and the hope is they use that information to fix this the issue but at the very least you still have something that you report back to stakeholders and shareholders in relation to what did happen,” he said.