This was published 1 year ago
Opinion
Why corporate management is not being punished for cybercrime
Elizabeth Knight
Business columnistLatitude Financial halted trading in its shares last week when it joined the worst corporate club in Australia – those that had been the victim of cyberattacks. All investors could do was brace for the plunge.
On Wednesday, when Latitude shares began trading again, the fallout wasn’t pretty but nor was it all that ugly. By early afternoon its shares were down just under six per cent.
Could it be that shareholders and consumers are becoming increasingly desensitised to, or even blasé about, data breaches?
Recriminations directed towards management at Optus and Medibank were louder – and the shaming more extreme – than it has been for consumer credit provider Latitude.
Despite this, culpability for cyberattacks should remain with the companies’ management because their internal defences were inadequate to prevent an attack.
The Optus breach generated extreme concerns from customers and the company was roundly pummelled by cybersecurity experts and the government for falling prey to what was characterised by most (other than Optus management) as an attack by pretty unsophisticated criminals.
Medibank’s cyber-breach (also branded by the experts as unsophisticated) had the luxury of being the second major incident, but had far more significant ramifications because the thieves stole medical information.
When Latitude revealed last week that it was the third major consumer-facing organisation facing a cyberhack over the past six months, it had a couple of things going for it.
First, it had the benefit of observing what Medibank and Optus did wrong in their response – and was versed on how to avoid some disclosure pitfalls.
Second, customer details that have been taken by the perpetrators appear to be mostly limited to driver’s licence details, which compared against sensitive medical records stolen from Medibank feels far less intrusive.
But the pathways followed in each instance are quite similar.
The scale and seriousness of the attack at Latitude has progressed with each announcement, but it was careful to avoid giving definitive statements from the get-go and, based on Wednesday’s update, it seems more people will be affected than its early estimate.
But rather than being freshly outraged by another cyber-incident, customers and investors seem to be taking the news in their stride.
For corporate victims there seems to be safety in numbers. Plus there is a bit of precedent.
Optus certainly lost customers to other telcos over the past six months, but the loss of accounts is not thought to have a long tail.
Optus’ parent, Singtel, noted in its half-year profit to September that it recorded a $140 million provision for a program of customer actions, including an external independent review, third-party credit monitoring services and the replacement of identification documents where needed.
The loss of any customers will not become evident until the March 2023 profit numbers are reported. However, Telstra’s December profit was boosted by additional customers migrating from Optus.
Medibank noted the loss of almost 13,000 resident policies in the second quarter (to December 2022) led to subdued growth of 1700 policyholders over the past six months.
But it also said: “With more normal business operations resuming in January, early signs of improvement in policyholder trajectory gives us confidence in regaining our growth momentum in the resident business. Last month net resident policyholder loss slowed to 1100, while this month up to 18 February we have seen net growth of 200.”
Medibank’s share price, which fell 20 per cent at the peak of the hack frenzy, has since retraced the majority of that fall.
Whether the cost of cyberattacks will move beyond losing market share and rectification will depend on whether mooted class actions from shareholders go anywhere.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.