Episode Transcript
[00:00:10] Speaker A: I recently attended Sphere by Atmos to sit down with some of the presenters on the day for one on one interviews and to meet with people attending to find out what brought them there and what they learned from the day. Over the next few weeks, we'll be releasing these conversations to the public, providing rare insights into the state of cyber security and risk for Australia, New Zealand and on a more global scale. We'll find out exactly what moving beyond just a responsive moment of crisis actually looks like. Stay tuned.
[00:00:44] Speaker B: Joining me now in person is Admiral Mike Rogers, Global Advisory board and Alister McGibbon. And today we're discussing building cyber beyond crisis and understanding Australia's resilience in 2026. So gentlemen, thanks for joining me and welcome to.
[00:00:58] Speaker C: Thank you, Great to be with you.
[00:01:00] Speaker B: Okay, so I really want to start with what are the concrete consequences you're most concerned about for national resilience right now? So maybe Mike, I'll start with you.
[00:01:09] Speaker C: A combination of disruption of service or capability combined with panic or the civil dynamic of that.
So it's not just the disruption itself, it's not just the loss of servers or capability, it's one of the societal impacts with that.
[00:01:28] Speaker D: And can I riff off what Mike just said? So cyber security, as you know, is about confidentiality, integrity and availability of systems and data, right?
Yeah, the cyber triad, for so long we focused on the confidentiality piece. And if we're being really honest here, you'd give us a D minus as Western societies for how we've done protecting data. We've whether it's protecting it against an offender who wants to steal it, and they should stay at all criminal or frankly even some of the horrendous abuse that corporates have had with data.
But to Mike's point, the thing we really need to worry about is the availability piece and possibly even more so the integrity piece. What if you can't use the machines and the data and your society, it's not just an event, it actually starts crippling society.
Even worse in my mind is what if you just can't trust?
[00:02:20] Speaker C: Exactly. What if you're killing your trust?
[00:02:22] Speaker D: That's scary.
[00:02:23] Speaker C: It's deeper and longer term because we're
[00:02:25] Speaker D: hyper connected communities, right? We're super efficient, which means our resilience is way less than it would have been, you know, a generation ago or two generations ago. But because we're so efficient, because we rely on technology, it means the inevitable interruption of those technologies leads to much greater societal impact.
[00:02:45] Speaker C: Because when you lose trust, even when you regain functionality, you still have a negative.
[00:02:51] Speaker B: And one of the things I've been speaking about across the course of today is the same sort of undertone you're both saying, but you spoke before when that chaos starts to erupt. So even like during COVID and just people couldn't get basic necessity. That's super basic. But now we're talking about turning off critical infrastructure that we've sort of seen in the telco space of the years here in Australia or other sort of services as well.
How do you think this is going to flow in terms of downstream impacts though? Because these things, it, it goes quickly, it's not like, oh, it takes weeks or years, like the chaos starts to unravel quite rapidly. Right. And people don't necessarily perform under pressure that well.
[00:03:28] Speaker D: Do you want to.
[00:03:28] Speaker C: Do you want to kick. What I was going to say was it's interesting to me we have not seen broad sector wide disruption. The model of the last few years has been disruption associated with a specific company, a specific service, a specific capability. That's interesting to me because the worst case scenarios we tended to talk about were this idea of system wide, either broad geographic disruption or sector wide sector. Our energy or finance fell in the blank.
Instead, what we're seeing, to me that I find, and you've seen it here in Australia, it's narrower, but it's deeper. It's a strange.
You see this like in the uk, look at Jaguar, look at Marks and Spencer.
You think two companies out of how many? But you think that that had impact significant on GDP for you? I mean measurably to a scale of gdp.
Two companies, not an entire sector.
I don't think we really anticipate. I always speak for myself, I really hadn't thought through the implications of foundational disruption. And in both cases of Jaguar and Marks and Spent, for example, they actually were shutting down operations and doing it for some period of time and that just hasn't been the kind of scary.
[00:04:51] Speaker D: And like when you think about Jaguar Land Rover, there were thousands of businesses in the supply chain up and down that are impacted. And so that means their technologies don't have to be impacted. If you're part of a supply chain that is impacted, you get this weird thread moving through society that has really serious implications.
I was thinking, when I think about, you know, if I think about Australia, you know, we've always seen ourselves as being that sort of resilient bush, you know, Bushman, you know, Coobra hat and RM Williams boots. And I've got both of those at Home. But I have very soft hands at the same time. And the reality is we have very little social resilience the way we once would have thought.
[00:05:39] Speaker B: What do you think that is?
[00:05:40] Speaker D: Well I think it's because we've been so stunningly successful cost out at exposing ourselves to a global supply chain.
So you know, I speak for America, you know an interesting tariff situation Mike. You know we've, we as a nation have constantly knocked those things down and said if we can't produce something here or do something here, we will buy it from overseas. If it's done better and smarter and faster and it's cheaper, brilliant. When it all works, got some big implications when it doesn't. And if you take that sort of analogy and you stretch it out to technology, we rely on friends to produce technology for us and to provide those services.
We are hyper efficient. I think we adapt and adopt technologies really well as a community. My fear is that if that were to stop, hit a pebble on the road, we've seen how people will react when they can't get that choice and the service instantaneously available third world country now you get a brown out, they used to petrol, there's a five day traffic jam and people just go yeah, that's just what we don't do that.
[00:06:49] Speaker C: The one I've seen that's the best is Israel in terms of a modern, highly automated, very interconnected society that deals with disruption on a fairly regular basis.
Well yet has, has achieved this level of societal resilience where it's hey, that, that's sadly the noise so to speak that we have to deal with but we can't let it stop us from doing whatever it is we want to
[00:07:18] Speaker D: do so you can advance at the same time as building resilience. I fear that in Australia we've become so attuned to lowest cost, cheapest item, most efficient thing. Which is brilliant right from a pure economic point of view. Bad I think from a societal sort of ability to take shocks.
So again I'm not a sky's falling guy. I'd like to hope that we don't get these catastrophic sort of system wide problems but I believe it's only a matter of time before we do. And that's why we need to actually prepare for those.
[00:07:52] Speaker C: And that also means we create vulnerability and dependency that we may not be aware of based on the choices we made. If the criteria is what's the cheapest, what's the fastest, what's the most efficient.
[00:08:02] Speaker B: So then on that note, as you were Both talking what was coming to my mind was are we starting to build like our own society here in Australia like in cotton wool? So it's like if you go and get punched in the face and you don't expect it, it's very different to being consecutively punched. You're sort of used to it, you know how to recover and get up and go again. So it's like whilst I understand it's been good but to your point Alistair, it's like well when it goes bad people just, they can't handle it.
[00:08:26] Speaker D: That's a great question and I'll give some sort of way, you know I've been a government official then I was not a government official then I was one and now I'm not again so you know it's like a yo yo comes up and down But I remember as a government official the second time around going and talking to some state governments who you know like Australia has just like the US and other countries some pretty interesting catastrophic events, cyclones, fires, floods and I remember talking to an electricity transmission owner, state owned transmission going hey if this cyber thing happens like look we're no crisis cyclone comes in our state, we got all parts ready and you know, we share with our competitors and we make these things back up again. Okay, sure, but what happens if you had no notice what happens if this thing just happens overnight?
So yeah, we are packed in cotton wool when it comes to of course like every other country those sort of natural things that natural disasters that you can usually predict, I mean earthquakes are one of the ones you can't and the New Zealanders are actually a really good example there of people that in the middle of the night suddenly, yeah, staggeringly big earthquake but most natural disasters you see coming, we're dealing with something now that I don't think you'll find that resilience because it's a bright blue sky day and suddenly something isn't working and I'm not sure that we're good. Mike has a military background where that's trained into you what happens if these systems, they fail? Okay, we fight on. I'm not convinced in our modern society and I don't want to be a doomsayer, just not convinced we're ready for it.
[00:09:57] Speaker C: We have exercised for it to that point. It is interesting we've created a world on the virtual side in which we're hyper dependent in which we have limited predictability capability as opposed to the physical world where we tend to have a greater level of predictability.
It's interesting on the one hand, you get so much capability out of the virtual world, economic growth, enhanced security, your greater connectivity.
But on the other hand, we're creating dependence more and more in an arena in which we have little predictability about, you know, dependency access. That's just an interesting dynamic.
[00:10:36] Speaker D: We don't even need someone asking questions.
A two minute thing.
I was just going to say, Mike, that brings in this concept of sovereignty. Right. And there's like a gajillion different, if that's a word, definitions of sovereignty. Right. So you get to see, okay, we need to keep data here. It's like, yeah, sure, but what if the software is not? And then, okay, we need software and data and then it's like physical stuff. How do you see sovereignty?
What would, where, where would you now, you know Australia. Well, right. You've been here like a couple hundred times at least for the times I've seen, let alone more like, where would you put that line of what should be locally done?
[00:11:14] Speaker B: What, what?
[00:11:15] Speaker C: So first club, to your point, I find that, that I, when I hear people talk about digital sovereignty, I'm going, do you think that's really achievable in the world that we're living?
[00:11:24] Speaker D: We don't produce much here. So come on, give us a.
I'm
[00:11:27] Speaker C: not sure that that really is an accurate description of what I think when I hear this is more, oh, you want some level of the digital assurance and get drawn. That's, that's really what you're saying? Because when you frame it as a sovereignty argument, I'm going, I don't think that's achievable in the digital world at scale, particularly if we don't have that.
Right. I'm going where you're not developing or producing the technology. So tell me how sovereignty.
[00:11:56] Speaker D: We ask you to come more often. That works.
[00:11:58] Speaker C: And please, I don't mean that as a criticism, but it does, I think to Al Mac point, yeah, the argument and I have this conversation in Europe all the time right now where I'm going, can we stop talking about digital sovereignty and can we talk more about risk and assurance?
Because I think that's really what you're arguing for.
You want to mitigate risk to a lower level and you want to enhance what you think is assurance in terms of access control.
I said those are not bad desired outcomes, but that leads you down a very different path. And they can start screaming about, well, it's about digital sovereignty because damn it, I have to control everything.
[00:12:41] Speaker D: I think about it as a rule of war. Right. Do your courts have some form of say over things? Does you know, all that sort of stuff? So it's a. Yeah, because I agree with you as a country that is not a producer of any of these bits of technology. I mean we do some, some micro stuff around the place, additions to the core.
It's really hard for you to actually pretend you're sovereign. We can try to get the large providers to have more presence in country and to have some infrastructure in country.
But I remember trying to explain to some of the political class sort of the way these things work and how many of these, how many of these sort of digital things are going to go offshore in order for you to have your sovereignty. And it's a really, it's a Hackney phrase, I guess.
[00:13:23] Speaker C: Yeah.
[00:13:23] Speaker D: Off topic.
[00:13:24] Speaker B: No, no, I think it's good to just. It's really about having that conversation and so I'm enjoying listening to you both with your banter. But one thing that's come to my mind, do you think we just have to keep going through these incidents to build that resiliency? Like no one really wants that, but it does build that we can get up and go again.
[00:13:43] Speaker D: Australia's come a long way in the last four years. Okay, four, five years, sure.
And that is through. You know, they always say never let a good crisis get aways dried and there's no such thing as a good crisis, particularly for those organizations going through this. And we deal a lot with people during those dark moments and you know, I feel for them. Right. We are a society that is now often blaming the victim. They could always do better.
[00:14:08] Speaker C: Right.
[00:14:08] Speaker D: Or else the incident wouldn't have occurred. But what can you learn from it? How can you systemically pass that on? While I think we're a country that spends a lot more effort sort of attacking often the victim and that again doesn't mean these companies and organisations shouldn't have done better to prevent something. You can always do better, all of us, but can we learn from it? And I think there are now household level discussions had in this country, sadly because of incidents that have actually got people saying, right, how do you make this more secure? You know, we've had our 911 equivalent outages, our triple zero, which leads to questions about resilience and what obligations are on companies. Because it's a social good and it's mandated.
We've seen outages and other such things and big data losses. Right. National level data losses and very specifically to Australia. I think that the mood has shifted when I talk to CEOs and boards to talk more about this stuff. Not like, is it an issue that's gone? Not like, oh yeah, what's the simple piece of tech we could buy to
[00:15:12] Speaker C: make it go away?
[00:15:13] Speaker D: It's now how do we start getting that resilience? I don't think it's fast enough for the era we're in, but it's at least moving. And oddly I'm a glass half full guy, so getting any of that movement I think is positive. But I, as someone who comes in
[00:15:28] Speaker C: and out, so I would agree in the United States, first of all, I compliment Australia particularly in the area of government and critical infrastructure, network owner collaboration. I think that's been a real strength in Australia.
You've got a legislative and legal framework, you've got a regulatory framework increasingly that's being put in place to deal with this. I think that's a real positive. And I also like the fact that in Australia you have used the concept of critical infrastructure to justify this kind of government role in terms of, well, this isn't just an arbitrary. It's, we're treating everything equally. It's, hey, we are placing a priority on and we are creating a different level of requirements for critical infrastructure and critical infrastructure owners than we are for other elements of our economy and other businesses at different scales. I think that's a real positive.
The challenge that I worry about a little bit in the United States is in some ways we've become numb to the levels of penetration, disruption.
It's almost like my sense, it's like, well, this is just the cost of doing business in the digital world.
And I'm going, okay, I acknowledge that to date we've been able to get through this. The thing that I hoped was going to be a bit more of a game changer in terms of does it take pain to drive? Was Colonial Pipeline.
[00:16:58] Speaker D: Yeah.
[00:16:58] Speaker C: Where I'm going, guys, you can get through all the details, but fundamentally, through a digital act, we lost control in the functionality of the single largest energy conduit in the most densely populated part of the United States.
[00:17:19] Speaker D: Yeah.
And I wasn't sophisticated.
[00:17:22] Speaker C: No, I'm going. That should really make us stop and think about, wow, are we ready for this?
But again, we got through it. And so it just seems to me like we've lost a little bit of that focus and prioritization. And the sad thing is, so is it going to take another crisis? And if it is another crisis, what if it's worse? What if it's orders of magnitude beyond
[00:17:46] Speaker D: this for a Long time we talked about, why don't we take more of an airline view of these things. So a near miss is something you learn from a near miss you share with everyone else, including your competitors. The quite big bump, obviously that Boeing hit aside, you'd argue that the aviation industry is the poster child of learning from mistakes. Hey, this bolt isn't working. You should replace all those bolts. Why hasn't it caught on? You think about you're rich and colonial. It's kind of like now almost dustbin of history stuff. I've read colonial in a speech last week. I thought, wow, you're using old material. What?
[00:18:22] Speaker C: He remembers that.
[00:18:23] Speaker D: But. But it's, it's like, yeah, you're right. It's one of those. Should have been one of those seminal moments where we look back and go, wow, you dodged your bullet. Right?
And everyone just goes, I am.
[00:18:34] Speaker C: Okay, we got in America. What makes our aviation piece work is the fact that we decided a long time ago that the level of risk.
[00:18:43] Speaker D: Yes.
[00:18:44] Speaker C: Justified a very different approach.
That number one said, we're going to create a formal mechanism to learn and correct for every major incident, whether it as an incident that actually led to casualty, a loss, a near miss.
We have not done that in cyber. And I find that frustrating because the difference to me is we have seen loss burning airplanes. You know, hundreds of people killed, catastrophic.
We don't have that kind of equivalent of visualization. Visualization of something burning, falling out of the sky and killing hundreds of people. We haven't. That hasn't been the effect in cyber so far. So it doesn't seem to have triggered the same kind of.
Is there a level of risk here that means I need to do something differently? I sure. Again, may it not happen. Al Mack has said, I hope it doesn't take the deaths of hundreds of people through a cyber event to convince us that there is a level of collective risk here. That should drive us to a different approach where when we have these traumatic events, we both learn from and we correct. That's what I love about the aviation model. It's dedicated to both identifying the problem, but also by solving it and driving. Mandating change.
[00:19:59] Speaker B: Well, that's what. Okay. What was coming to my mind as you're both talking is one I was going to ask about. Are we desensitized? And what I mean by that is, so even in Australia, there's breaches, people. Oh, well, I've been breaching the first one. Who cares about information in the next one. And then to your next point, I Was just hearing it going, well, I think what you're saying just makes sense. And so I want to start with one, the desensitization.
Do you think we're there?
[00:20:23] Speaker D: Well, so I think we're desensitized to data loss, right? And you know, every, but not to the other stuff. Every person I know in America has received almost weekly a one year subscription to their data protection based on the loss. It's like, okay, I've got another one, I got 36 labels.
[00:20:39] Speaker B: But that's what's happening here though, when you say yes, yes, yes.
[00:20:41] Speaker D: So this is my point about the data loss piece. D minus. We've kind of screwed it up.
[00:20:45] Speaker B: I think it's gone down to an eight, right?
[00:20:47] Speaker D: Yeah, probably right. I mean it probably shouldn't even be scratched record it so bad, right? We've lost that game. But that aside, does systems keep functioning? So we have these national level data loss, everyone sits there and goes, can I say the word shit? It's a bit shit, right?
You know, bit bad.
Just in case you edit me out.
Everyone goes, okay, yes, okay, that's great. We've lost our data. Well, I'm still around. No one leaves the brand. They turn up the next day, they renew whatever their contract is with the airlock phone or the orange or whoever it is and we all move on. The difference is if like you're Jaguar Land Rover and you've got thousands of these small suppliers that sell to you and it stops, my business can go out.
I can go bankrupt and lose my house. Kids get out of school, can't buy groceries. I mean that's got real life consequences, you know. You talk about the colonial alkaline thing, what was that? 40% of the liquid fuel needs for the east.
New York, my God, catastrophic for a
[00:21:52] Speaker C: class centric continued country.
[00:21:54] Speaker D: You had to declare civil emergency in certain locations. So if that had gone on, maybe it would become the post trial. But a near miss or wasn't even
[00:22:03] Speaker C: a near miss or if it had happened in the middle of winter that it moves heating well in the wintertime. It happened in May. What if this would have been in January in a hard winter and we lost heating oil movements.
[00:22:13] Speaker D: Yeah, so?
So I think so. I think we're immune now. We're kind of past it with these data loss things. And people often getting better at handling the crisis too by the way.
[00:22:22] Speaker B: It's about how people, meaning the companies,
[00:22:25] Speaker D: how you communicate, what the mea culpa is how you make people whole. All that where we're failing I think is getting ready for a service failure.
[00:22:35] Speaker B: Sure. Like energy.
[00:22:36] Speaker C: Yeah. Interruption piece.
[00:22:39] Speaker B: Well, you can physically see it. And actually that was my next point. Out of sight, out of mind. So it's like if you can't see that the electricity can't work to blow dry your hair in the morning. As a female, that's a problem or
[00:22:50] Speaker C: as a man, I have that same issue as well.
[00:22:52] Speaker E: Yeah.
[00:22:53] Speaker C: Really, I feel for you.
[00:22:55] Speaker B: So do you think it has to get to that stage until people can go, okay, well, it's physically impacting me. I feel like people I'm interviewing, though, Mark, are saying that history would suggest
[00:23:06] Speaker C: that that in fact is going to be the case that it's going to take some measure of pain to drive.
[00:23:13] Speaker B: In your experience.
[00:23:14] Speaker C: That's why I say, as a military guy, I'm going, look, we get paid to anticipate. What is this? We got to wait till we get punched in the face multiple times to say, oh man, maybe I. Maybe I need to wear a mouth guard. Or maybe I shouldn't be standing here, I should be over there. I mean, just.
[00:23:29] Speaker B: So then here's the next question. Do you think unfortunately someone has to suffer company group of people as a result of anyone doing anything? I'll give you an example. Like when seat belts. It's like enough people were then dying before we implemented the seat belt. So unfortunately, do enough people have to be impacted until it's like, oh, now we're going to do something?
[00:23:47] Speaker C: Probably because I often use the example. When I was a kid growing up, we didn't have seat belts showing my age. We didn't have seat belts in the rear.
My parents were these cars. Yeah, there you go. My parents thought, I can't remember. As a 4 year old in 1964, my parents had a Dodge Dart. They thought it was so cute for Michael to be jumped standing up between the two front bucket seats, jumping up and down on the drive shaft hub.
And yet within a decade, we totally changed the dynamic on automotive safety for a variety of reasons.
If we can do it there, I think we can do it.
[00:24:24] Speaker D: It also becomes a marketing feature now, Right. I mean, look at Volvo as a brand.
[00:24:28] Speaker C: Right? Well, re. Incentivized, yes. Automobile companies suddenly thought, you know, if I make a safer car somewhere. Insurance companies said, you know, if you'll buy a safer car, it will decrease, will decrease your insurance cost. Automobile manufacturer said, you know, the consumer seems to be like this now. I need to build safer cars.
[00:24:46] Speaker D: All these externalities that lead to it. And, and yet you'd argue you would have thought that the big tech would therefore have that those same interests, but the moment they don't. And so much of that is about consumer behavior, right, because you haven't yet behaved. So maybe you do need something. I mean, God forbid, no one wants a big incident. No one actually wants to see people harmed at scale.
[00:25:09] Speaker E: No.
[00:25:10] Speaker D: And by the way, you know, Mike talks about Ukraine's amazing ability to withstand some of the most egregious cyber activities and is a lesson for how countries can act at scale. You don't want to be at war to learn those things. Right. You don't want to have to go through that. Indeed, there are these living examples of resilient communities that we could pick up from. My question that I constantly ask is what is the cost of doing that? Are we willing to accept that burden as a society? And it is very clear to me that in 2026, at least in March 2026, as a society, Australia is not yet ready to pay the price that is necessary for that type of resilience and redundancy is it comes at a cost, right, of, of, of efficiency which is going to be things like, you know, I can't get the service straight away because it's, it's more gold plated or it costs more money. And in a society where we are so focused politically on cost of living, no one is going to wrap an
[00:26:11] Speaker C: extra layer of cost up because it's hard to make an argument right now. We're going to pay more upfront to save more over some future this right then that's hard to sell in the current political dynamics in both our nations. It's true for the US and for Australia it's a politically tough choice.
[00:26:28] Speaker B: So gentlemen, we're running out of time and I'd speak to you for hours, but maybe one quick takeaway to wrap up today's interview. Alastair,
[00:26:37] Speaker D: I think one of the big existential problems we have, if you pull out a bit more, is we have been importing connected devices that are not just manufactured in, but controlled by China that require software updates, require telemetry to go back to where the manufacturer is, in this case China, that are now built into our infrastructure and our society and I think will rue the day. Again, we are paying for this infrastructure to be put into our society and I think at some point there could be an egregious misuse of that technology by the manufacturing state or the controlling state, in this case China and the ccp. And I think that's a Huge issue. We can't even broach how we add more cost in to make ourselves more resilient, let alone talk about, you know, what type of technologies we're using in our creative infrastructure.
[00:27:32] Speaker C: And I guess for me, if I step back, look, cybersecurity is not getting better, it's getting worse.
It's not because people are working hard. It's not because people aren't trying hard, and it's not because we're not throwing money at the problem.
It suggests to me that the approach that we have taken today is not going to be the one that's going to get us where we need to be.
[00:27:52] Speaker D: It's a definition of madness.
[00:27:54] Speaker C: Right? So I'm going, could we step back and ask ourselves, what should we be doing differently? And that's the conversation. Not the conversation I hear. The conversation I keep hearing is the same when I heard 10, 15 years ago.
It's about information sharing. It's about. I'm like, guys, we've been doing that for literally decades now. How is that working for us? Not that it's a bad thing, but it's not achieving the outcomes, if you define the outcome, is a lessening of these threats. So, yeah, I'm like, come on. So in light of that, to me, I want to learn from areas that are.
I want to learn where there's success. Ukraine being a good example.
And I want to ask myself, how can I create. If some level of degradation or denial increasingly is going to become the norm, then how can I create greater resilience rather than spending all my time debating about how do I make sure they never get into my system at all?
I penetrated networks for a living and I defended them. And my job as an attacker was much easier than the job as a defender. It was much easier to get into a network than it was to defend it.
[00:29:03] Speaker B: Mike Ellis, thank you so much.
[00:29:05] Speaker C: Thank you.
[00:29:09] Speaker B: Joining me now in person is Heather Osborne, Director at Global Events and programming at NetDiligence, and Steph Lerz, partner first response at Atmos. And today we're discussing what 2026 cyber loss data is really telling us. So, ladies, thanks for joining me and welcome.
[00:29:24] Speaker E: Thanks for having us.
[00:29:25] Speaker F: Thanks for having us.
[00:29:26] Speaker B: Okay, so, Heather, I want to start with you. I'm keen for you to paint a bit of a picture of the Cyber loss in 2026. And I know when, before we jumped on to do an interview, you were talking about the long report, but perhaps give us a little bit of a summary about what's happening.
[00:29:41] Speaker E: So the cyber losses for the SME have gone up quite a bit over the past year, while the losses, the claim study shows that losses for the large enterprise have actually gone down a bit.
What has really caused the SME to jump is not just the ransomware payments, which while there have been more ransomware events, more an increase in the amount of ransomware demands, the actual numbers of ransomwares that are being paid out are lowering. That's what our data shows, which again is a specialized set of actual claims paid out primarily in the US market.
What is driving the cost up for the SME is business interruption. So business interruption just jacks that cost way up.
It draws out the tail of a claim and the resolution time.
And so what we were really talking about in the past half hour or so on the panel were some specific ways in which the policyholder can look at reducing the impact of business interruption.
[00:30:55] Speaker B: Sure.
So Steph, before we move on, did you have any commentary on that? Because I've got lots of questions about
[00:31:01] Speaker F: this topic on the cost of cybercrime. I think the only point I'd make is the NETD data is incredible and it's the most credible data set in the world for insurance based claims. We do have other data locally that is not insurance backed and which paints a very different picture from the insurance claim. So, for example, the ACSC Cyber Threat report that was released last year, it talks about the average cost of a cyber incident sitting at about 56,000 Australian dollars, which is significantly less than what is noted in the NETD report. But again, it's not insurance backed, that data. So there is a marked distinction. But it does tell you what the rest of Australia, particularly the small business economy and how they're tackling cybercrime and the costs that they're incurring at that level too, without insurance.
[00:31:55] Speaker B: So the part that I'm always curious to understand is we often measure impact in dollars, US Aussie dollars. But what are real long tail human costs inside organisation for years after the breach? And I'm really curious because as we were just talking before, I interviewed former CISO at that large medical insurance breach.
But I'm just, I know that no one necessarily has any numbers, but how long does it really sort of take?
Does it take 20 years before it's like we've recovered from this? I'm not some sort of actuarial aerialist, but I'm just more so curious on what that looks like because that's more than just the dollars that are impacted from that breach.
[00:32:34] Speaker F: Yeah, such an interesting question. I'm not sure you can put a length of time. Sure, I know, I know rebuilding of trust. But I think what I would say is my experience working with clients in, in first response and in that immediate aftermath, we deal with a lot of clients that are impacted by ransomware and notorious threat actor groups that are aggressive, really aggressive, and engage in harassment techniques.
Had a client the subject of a swatting event as well.
So the impact of those harassment and the swatting that lasts a lifetime because the impact is such that you know you can't trust your devices, you're concerned about your livelihood and your family that may have also been infected. So I'm not sure you ever recover from that.
As an organization that may have been impacted in that way by fairly aggressive groups,
[00:33:31] Speaker E: I would sort of take a step back and just look at how cyber incidents can affect different kinds of sectors differently and how long it takes for the resolution to occur. So if you look at sectors like manufacturing or retail, if they're down even for a week, that is lost production, it's lost sales. They possibly can't coop. If you look at professional services like law firms, accounting firms, those clients don't go away. So that period of downtime doesn't affect the bottom line. So that is sort of part of how you would look at the calculations of like those hard costs. I think if you look at the human costs and how bi can stretch out, that business interruption can stretch out for months during the restoration period.
Heath Renfrow from Phoenix 24 talked very specifically around what it takes to reconstruct that infrastructure, that IT infrastructure.
And so the human cost of just the hours for the IT team, for the C suite and even for the board of directors, they just simply don't anticipate how long that is likely to take. It can take months to get a company fully restored and back up to business if they have good backups. And again, Heath was talking about he's only seen maybe one or two or maybe none. I can't remember that had adequate backups. But if your critical assets are backed up appropriately, then you can recover and you can be back up to business. You can be making money again in terms of reputational damage.
It's been interesting from an insurance standpoint to look at how that would be covered, how would that be quantified?
[00:35:29] Speaker B: How do you do?
[00:35:30] Speaker E: You can do forensic accounting for inventory, for payroll, for these things that are fairly quantifiable. They can argue about what those numbers are, but you can at least talk about them. The reputational piece is very hard to get your arms around. It's slippery. And because it's not quantifiable, it's hard to put a price on it and therefore it's hard to insure. And so I think those kinds of costs are not being compensated through any kind of risk transfer that you would get from cyber insurance.
[00:36:05] Speaker B: So I want to get into a little bit more. So recently, I think Commvault last year came out with a report, on average it takes 24 days to get back up and running. And then my mind went to how annoyed do people get when they can't access something straight away? They're on like Twitter, they're complaining on social media.
And I would say from a consumer perspective for a moment that most people just like, well, if I can't get, I'll just go elsewhere. There's not that loyalty. Like I drive down to the bank and I see the same person and it's, I've met this person for 40 years. It's not like that anymore.
So how did that sort of sit with both of you on?
We really can't. No one's going to be waiting around for 24 days to see what happens.
Especially when you mentioned before, Heather, retail manufacturing, if I can't get a sweater elsewhere, I'll find somewhere else.
So it's more that mindset and how consumers are not feeling loyal to these brands anymore like they were traditionally.
[00:37:05] Speaker E: Well, I think that's true and I think that's why it is such a, a critical and frustrating and frightening process for companies to go through.
And even a manufacturer, they may have inventory that can get them through 90 days, but if they're not continuing to manufacture, then they're going to have trouble meeting future demand, which also goes into that BI calculation. And there's a lot of stuff in the policy languages as to when those dates start and end.
I do think, at least in the US data breaches are so common. They are so common. So I think what we were seeing when I started 15 years ago, a data breach was shameful and you didn't want to talk about it and you didn't want anybody to know about it. And of course that drove costs up because you try to hide something, then it takes longer to resolve. Of course, that was pre ransomware, so the good old days.
But I think now there is a little bit of a.
Not that you're a bad company, so you don't get that sort of reputational hit, like, oh, your governance was bad and so you got hit.
But certainly in sort of our fast consumer nation or global consumerism, we do expect to be able to have what we want when we want it. So I think again, for different industries, it's going to have different impacts.
I think retail, you know, you're mostly talking about retail and maybe professional services. You know, if I can't go to my hair salon, you know, then you girls will. I don't know. I'm pretty loyal to her.
[00:38:39] Speaker B: I get that.
And so Steph, do you have any thoughts then perhaps from a different perspective that you can paint?
[00:38:47] Speaker F: Yeah, I was thinking about, I guess we've been talking about the consumer piece, but on the B2B side, a lot of clients that are impacted by a third party breach find it incredibly difficult to immediately change vendors and get things back up and running. They're solely reliant on that third party. And so, you know, if we're talking about a 24 day period for them to gain access to their key systems to continue business as normal, that's a significant period. They're stuck in that and they need to find manual workarounds ultimately. But what it leads to is complaints, early disputes, litigation.
And I think that's the key difference between the B2B piece versus B2C.
[00:39:28] Speaker E: Right. I think those contractual obligations that are already in place. So even if there is another vendor, you know, you can't just escape immediately.
[00:39:35] Speaker F: No, yeah.
Look, we have clients that they're stuck in that relationship and they need to continue it. But that forces them to engage quite closely to have a security, independent security audit conducted quite quickly. And so the third party, they're dealing with multiple other clients, they've got other priorities, not a security audit that they need to undertake to maintain a commercial relationship. So it is really difficult, I think, for particular organizations that are impacted by third party breach like that.
[00:40:07] Speaker E: I think the other interesting thing about that is you have certain kinds of breaches like the CDK breach which affected auto dealerships almost universally. So it wasn't even, you couldn't even go to a different dealership to buy your car and they were reduced back to paper. And I mean that really took down an entire sector for a significant period of time. And it is exactly that kind of large consumer purchase too, that if they could find another place to go, they did. And so those were huge lost sales. And as an industry, major, major impact to the carriers that were, that were covering that.
[00:40:43] Speaker B: So going back to your point before on the B2B sort of side of it, and that, yes, if something happens, you can't just oust the company and move on.
But then how does that sit with the relationship? It's strained. Perhaps someone's disgruntled, maybe they do want to get out of it, sign a clean cut, maybe there's a migration period to offload onto another vendor or whatever it may be.
[00:41:04] Speaker E: But how do that?
[00:41:04] Speaker B: So how do you deal with that then?
[00:41:07] Speaker F: Yeah, it's interesting. I mean a lot of clients, I think they're looking at the contract renewal period. Right. When can we conclude this relationship and move on? I think that's the truth of the situation that.
[00:41:18] Speaker E: Right.
[00:41:18] Speaker F: They're not going to stick around unless it's a, you know, a really specific, you know, third party or a program that they're particularly Ms. Keys and technology platforms that they might be heavily reliant upon or built for a business. You know, that's a difficult scenario. But I think ultimately how we have a lot of clients that they'll make the decision day one, day to incident, then they no longer want to continue working because they this organization, they have to for a period of time and they'll make that work. But ultimately when Bush comes to shove at the end of that contractual period, they'll go elsewhere.
[00:41:55] Speaker B: So they'll endure it to the point that they have to contractually and then decide to part ways.
[00:41:59] Speaker F: Yeah, I think in some instances there's probably a good contractual basis to terminate the contract. Right.
And you know, some Saudi organizations that are impacted by residents in particular, they'll fill to do that and find a way through. It does add another layer to their incident response to go through that exercise. So it's just another task, I think part of the incident response process that organs need to consider.
[00:42:25] Speaker B: And so I want to sort of talk more about this a little bit more on the on the front with burnout, reputational damage, internal trust erosion as the aftermath. And I know we spoke about it before, but what about the earning back sort of thing? And I know we've touched on it before, but is there people even yourself that are doing research around how long this would take arbitrary to earn back that trust? Because I've just speak to a lot of people in this industry and I know it's not an easy one to answer. I'm just seeing if there is further development on this front because perhaps people just aren't aware of it and then they perhaps blindside when it's like well we lost all these contracts but how long does that go on for? Do people still Remember what happened 30 years ago? I think that they do and does that then follow you is like that cloud, that rainy cloud.
[00:43:17] Speaker F: Yeah, I think it's my perspective is that the incident response process is critical for maintaining that trust relationship.
And if you manage that poorly with your clients, you will find it difficult to continue that relationship. I think a lot of our clients that respond the best in an incident response context are those that are quick to respond to their clients queries, share the information that they can and sensibly.
And I think there's commercial relationship at play too. You've got your incident responses and people on the ground doing that exercise, but you also have the commercial relationships and the key people in the business that have their own relationships with the other side and maintaining those and having separate discussions outside of the incident response. To say we've got you, we're keeping you informed as best as possible and just giving that added layer of assurance outside of the more formal correspondence that might be happening, not about the incident itself, I think is really important.
[00:44:22] Speaker B: And so then in the US we're seeing a surge in class actions and coverage disputes. So how does that sort of compare to Australia and New Zealand? There are cases here that I'm part of because I was involved in those breaches. But will this just become normal, especially in Australia, because we've historically not been that way inclined?
[00:44:42] Speaker F: Yeah, I think the class action landscape era is very different. But I think what we will see, particularly in the coming year or so, is a real shift in the regulatory investigation. And that landscape in particular we saw last week or earlier this week rather, the OAIC has come out and said that it's reviewing its backlog of privacy complaints off the back of a data breach. And so what that means for organizations that have submitted a notifiable data breach report in the last six to 12 months and that incident has not yet been closed by the oac.
It's an opportunity for the OAC to investigate. And that complaint connection with the incident is going to prompt those investigations going to about to see a way of regulatory investigations. The OAC has new powers now. They're able to issue infringement notices for lower cabal non compliance with the notifiable data breaches scheme. So I think this focus on the complaints that they've had this backlog for is going to really drive a lot more regulatory activity in the next six to 12 months.
[00:45:49] Speaker E: And I would say so much of the US litigation is driven just by our structure of how plaintiffs are works. You know, they work on a contingency basis. We just had a panel of plaintiffs Attorneys last month in Miami, and they, much like ransomware actors, was like, well, if you have insurance, you know, you're a good target for us. If we file a case and there's not any pockets, any pockets to help us, then, you know, we're not going to pursue it as hard. And so even their advice was, you need to take some of these cases to trial, you know, like, make us do our work.
So I just think the way that plaintiff litigation is funded in Australia and it's similar in the uk, it just, it serves almost as a, you know, a cooler head, some sort of calculation of, you know, are we going to put our money into this, into this class action investigation? And, you know, all the costs that are associated with just pursuing a class, it just sort of tamps it down a little bit. So I think until you, you kind of get a change in how much money you can make, how much a lawyer can make by pursuing these. The other interesting, the funny thing from those plaintiffs also that they talked about was, you know, they all feel that they're very reputable plaintiffs attorneys, and they are. They've done, you know, significant work in, in the space, but it's also, you know, sort of a rush to the courthouse. So now you see all these other firms who are setting up their own little, you know, plaintiffs practice around, you know, data privacy cases. And so they're flooding the market too.
And so, you know, these big dogs who've been doing the work, doing it credibly, you know, like, you know, sort of it's becoming too popular. You know, people are seeing that there's an opportunity there. And yeah, dare I say it's not
[00:47:36] Speaker F: analogous to personal injury lawyers in the
[00:47:38] Speaker E: U.S.
but I mean, it's the same thing. It's like car insurance in the U.S. it's like, take like, I've been in little things and it's like, can we just pursue it? Like, don't pay out. Like, this was not, this shouldn't be paid out to them. This is totally frivolous. So, yeah, and I mean, we are seeing a lot more creative settlements. There's some really new good products for, you know, to help the consumers that have been injured, that are now being part of settlement agreements, but a huge expansion in alternatives, dispute resolution and arbitration and all of that. Like, those guys are getting busier and busier and busier and needing those experts.
So again, are the old guard who developed some of the earliest case law, you know, in data privacy litigation.
[00:48:25] Speaker B: So perhaps I'll end on my last question for Both of you, would you say moving forward is regulatory enforcement now one of the strongest drivers pushing organisations from reactive to proactive security investment?
You tracked more with honey than vinegar, as some say, but maybe this is just the way it needs to unfold. So what are your thoughts on that?
[00:48:48] Speaker F: Yeah, definitely. I think from my perspective we've seen some penalties the last little while from various regulators, the OAC and asic, of course, in connection with cyber security. So I think those drivers are there. I think the threat actor landscape has changed significantly in the last 12 months too. And I think organisations are becoming more alive to the risks in connection with those groups.
As I said before, they're incredibly aggressive and there's a number of newer groups that have popped up.
I think that that's going to drive a lot of activity and refocus as well. For many organizations now, I'd say in
[00:49:26] Speaker E: the US it's still more the private litigation rather than the regulatory actions.
And then just increasingly that business interruption, I mean, companies cannot afford to be down. They just cannot afford to be down. So if they want to even have a business that can continue to deal with a regulator or a class action lawsuit, they need to get their house in order and understand what the business interruption impacts can be and what they need to do to put things in place so that they can come to a place of restoration and recovery much faster.
[00:50:01] Speaker B: Heather, Seth, thanks for joining.
[00:50:03] Speaker F: Thank you so much. Thank you.
[00:50:08] Speaker B: And there you have it.
[00:50:10] Speaker A: This is KB on the go.
Stay tuned for more.
