Optus hack shows companies must take timely reporting of cybersecurity breaches more seriously

By YONG JUN YUAN

The Business Times, 18 October 2022


IN THE span of two months, four locally listed companies have made announcements about cybersecurity breaches. These announcements were varied in their detail, which perhaps is an indication of the difference in severity. But it may be time for boards and shareholders to step up their demands for thoroughness in disclosures.

Frasers Property on Aug 2 said its 38.3 per cent-owned Thai subsidiary, Frasers Property (Thailand), had experienced a data leak. A further update on Aug 15 notified shareholders that the cyber incident involved the leakage of customer and employee data.

On Aug 31, Sembcorp Marine said it had discovered a breach involving the personally identifiable information of some incoming, existing and former employees as well as non-critical information relating to its operations.

On Sep 5, semiconductor equipment maker AEM Holdings announced a network breach. The type of data lost was not revealed.

On Sep 22, Optus, Singtel’s Australian subsidiary, announced the personal data of 9.8 million customers had been compromised.

Singtel also announced, on Oct 10, a cyber breach at a subsidiary of its technology services arm NCS. This involved the data for fewer than 20 clients, 1,000 current employees at The Dialog Group, as well as former employees.

The breach had been discovered on Sep 10, but was disclosed after its IT team became aware on Oct 10 that employee personal information was published on the Dark Web.

Excepting the breach at Optus – which has been discussed in great detail by company executives, politicians and industry experts – not much is known about the other incidents.

Possibly, this is because the incidents are not severe enough to warrant further disclosures. Singapore listing rules require an issuer to disclose information that is “likely to materially affect” the value of its securities, but leaves boards to make the decision on materiality.

How should boards make such a decision? And what other considerations are involved in a cybersecurity incident? How can shareholders be sure that cybersecurity risks are being dealt with seriously at their companies?

Test of materiality

Poh Mui Hoon, governing council member at the Singapore Institute of Directors (SID), suggested several considerations: the type of data leaked, its value to the organisation, whether the data involved trade secrets, and whether the breach has been contained or is still ongoing.

In response to queries from The Business Times, Poh said directors should check if personal data was involved; and if so, how many persons were affected. Directors ought also to be aware of what the affected systems, servers, databases, platforms and services were.

Finally, a cyber breach would be material if a company incurs or expects to incur financial losses as a result.

“If a customer’s significant trade secrets or personal data are compromised and there is huge financial loss, then it is likely that the breach is material,” Poh said.

In the case of personal data, the government has made it clear when companies should disclose any breaches.

In November last year, amendments to the Personal Data Protection Act (PDPA) made it mandatory for companies to report a data breach if it could result in significant harm for affected individuals, or is likely to affect 500 or more individuals.

Communicate, in good time

Reporting should, in fact, be considered a primary means of mitigating harm following any cybersecurity incident.

Compromised data is rarely recovered, but a failure – or even slowness – to convey information can worsen matters. In the case of Optus, for instance, one complaint among some customers was that it was a while before they were informed.

Poh noted that communication is crucial when a cyber breach is discovered. “In all likelihood, the organisation may not have a clear picture of what has happened, how bad it really is, after an incident.

“Yet it is still important to communicate right from the start – to staff, to the regulators, to the police, to customers, to clients, to partners and suppliers, to shareholders and investors, to the market, and to the media,” she said.

Companies should also note that the regulatory cost of cyber breaches is rising.

From Oct 1, companies found in breach of the PDPA could also be fined up to 10 per cent of their local annual turnover or S$1 million – whichever is higher. This is up from a maximum fine of S$1 million in the past, a sum some directors may have decided was immaterial.

DBS analysts are estimating a regulatory fine of A$105 million (S$94.8 million) on Optus in the worst case scenario. They noted that competitor Telstra was fined A$2.5 million after it failed to follow due process to protect its data, resulting in a data breach affecting 50,000 customers.

Regulators have shown favour to companies that take prompt action.

Local telco MyRepublic was fined S$60,000 last month for a leak of 80,000 customers’ personal information, including the scans of identification cards belonging to 75,000 Singaporeans and permanent residents.

While the Personal Data Protection Commission (PDPC) found the telco failed to put in place reasonable security arrangements to protect the personal data in its possession, it also noted that MyRepublic took prompt action to better protect its data and inform customers of the breach. The company also provided six months of credit monitoring to customers.

Seek greater assurance

Boards should not wait for the authorities to get tougher before they start taking cybersecurity seriously.

To improve their preparedness against cyber threats, Poh urged boards to periodically seek independent assurance that those responsible for mitigating cyber risk on their behalf are doing their jobs effectively, whether they are external or internal providers.

“The board should ensure that a proper cyber incident response plan exists for the company to respond in case of a cyber breach and this cyber incident response plan should be stress tested repeatedly,” she added.

It would be well for boards to disclose these plans to shareholders too, and to offer shareholders greater detail about cybersecurity incidents: what has been compromised, what the risks are to the company, and what is being done to avoid such a situation.

The best way to keep directors accountable and ensure they are asking these questions – and getting answers – would be to require them to make disclosures to shareholders.