Govt criticism of the telco not just ‘Canberra parlour games’
Major cyber incidents should be the first, second and third risks in a company’s crisis management plan.
Despite reputation and political management increasingly being seen as a first-order corporate risks, the Optus fiasco demonstrates both why it’s critical, and how it can go very wrong.
When these events occur, corporate leaders often default to a legally conservative strategy aimed at ensuring whatever is said or done doesn’t make a future civil penalty or class action worse, but they ignore the fact that the reputational damage occurring in the short term often matters more.
Of course, legal risk can be costly, but in the Optus saga, the maximum civil penalty the Privacy Commissioner can pursue is a woefully inadequate $2.1m. The unacceptability of this has been recognised by successive federal governments, with a commitment made in 2019 to increase it and draft legislation released last year. A successful class action will undoubtedly cost more in legal fees than any civil penalty, let alone the final compensation awarded to customers. Weigh that against the cost of poorly managing the perception of critical stakeholders such as customers, regulators and politicians. That cost will be known only once it’s clear how many customers have jumped ship, political inquiries have been launched and new laws passed. The full effects could take years to flow through as customers stuck in contracts wait for them to expire.
Some customers will be people who, regardless of how Optus responded, would have gone to a competitor because of the breach. Then there will be many others leaving because they haven’t been convinced the organisation is on top of the issue. In the meantime, corporate and government clients will likely mark Optus down in future tenders, lacking confidence that commercially sensitive information is secure.
The revenue loss could be hundreds of millions, if not billions.
None of this should come as a surprise. Major cyber incidents are the first, second and third risks in the corporate crisis management plan – particularly for telcos and banks that hold such significant quantities of personal information. All of these plans should include detailed strategies for communicating with customers, politicians and regulators.
For a company like Optus to not be adequately prepared for this in the digital age is akin to a modern cruise liner not having a way of dealing with icebergs. Which begs the question of how the relationship with the government, the one stakeholder that can both assist Optus recover the data and inflict the greatest amount of regulatory pain on it, has so rapidly and publicly deteriorated.
Crisis management for major cyber incidents relies on government assistance. The cyber-spooks at the Australian Signals Directorate can do things in response that private companies can’t, both legally and technically. Governments and corporates should usually be on the same side in the event of a major hacking event by foreign actors.
Despite this, on Monday night the Minister for Cyber Security, Clare O’Neil, indicated she thought Optus’s characterisation of the incident as a sophisticated hack was misleading corporate spin, at best. She also told Optus to start clearly communicating with its customers and the next day slammed them again after apparently learning Medicare identifiers were also part of the breach.
In defence, Optus CEO Kelly Bayer-Rosmarin said: “Our briefing of the minister came after she gave that interview”. Bizarrely, this suggests the minister co-ordinating the government response wasn’t fully briefed by the company until after her media appearance, five days from when the incident was announced. If that’s the case, Optus executives have failed in their basic duty to keep a critical stakeholder informed and onside. Even if so, the minister would still have received almost constant briefings from ASD and other national security officials. She probably knows things about the attack that Optus doesn’t.
This public criticism by the minister is not just Canberra parlour games. It has real consequences. It indicates, fairly or not, that those devoting resources to help Optus out of this mess don’t have confidence in the way the company is managing it. If that’s the case, why should customers who aren’t privy to briefings from the Optus CEO and national security agencies believe the company? And what are the broader implications of one of the largest critical infrastructure providers in Australia apparently losing the trust of the government?
Alternatively, it could just be convenient politics to throw Optus under the bus and reverse over it. It’s certainly reflective of public opinion. Unfortunately for Optus, the true reason doesn’t matter. The impact on public confidence in it is just as damaging.
Tim Wellington is a director of Chapel Lane Advisory and a former chief of staff and privacy adviser to a federal attorney-general.
Be counted as one of the best places to work
For an organisation to outperform its peers, it needs to discover how happy and engaged its employees are. Enter The Australian Best Places to Work 2025 to find out. Entries are now open.
AI no panacea for productivity, says Gartner boss
AI is a mixed bag for business, so don’t look for an across-the-board lift in employee productivity.