Ever get a client that’s asked, what’s the ROI of Operational Resilience (OpRes)? You likely have. And if you’ve been stymied, just tell them it’s the price of a major disruption, including associated financial, reputational, and other non-monetary costs. How do we determine the ROI of OpRes? Read on to find out.
The Medibank data breach reveals the ROI of OpRes
Here, it’s instructive to look to a recent crisis.
In October of 2022, Medibank, one of Australia’s largest insurers, detected unusual activity on its internal systems, in what would soon become one of the top crises of the last 12 months.
The insurer was soon approached by a third party looking to extort money with claims that it had illegally removed Medibank customer data. These claims were soon verified, bolstering the validity of the threat to release the data of high-profile customers if ransom demands weren’t met.
Sensing that there was little chance that the company would recover the stolen data, Medibank refused to pay the ransom.
Investigative journalists, however, soon alleged that the breach itself was the result of hackers gaining access to Medibank’s internal systems. Journalists claimed that these systems were accessed via compromised login credentials.
Medibank, for its part, eventually revealed that the data of 9.7 million past and present customers had been accessed, including email addresses, phone numbers, addresses, Medicare numbers, names, dates of birth, passport numbers, and visa details, as well as private medical information.
Many of these documents would soon be released on the dark web by the hacker, linked to a Russian cyber gang, with the Australian Federal Police, Commonwealth agencies, and the Five Eyes Law Enforcement partners all investigating.
For Medibank and its customers, though, the damage was done. The repercussions would be likewise swift.
Medibank now faces its fourth class-action lawsuit over the cyberattack.
And that’s not all.
The nation’s prudential regulator, APRA (Australian Prudential Regulation Authority) took the extraordinary step of imposing an AUD 250 million increase in Medibank’s capital adequacy requirement.
Why?
The regulator claims the sharp increase in capital requirements reflect the demonstrated weakness of Medibank’s information security environment.
What’s OpRes got to do with it?
How does this relate to the ROI of OpRes?
By definition, OpRes is the capability that ensures that such disruptions don’t happen. And if they do, they’re not so devastating.
Indeed, here, OpRes refers to the initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners.
Is it worthwhile, then, for clients to invest in these initiatives?
The case of Medibank more than suggests they are.
For, clients can either shell out the upfront costs for an effective OpRes program that would mitigate the risk of a serious service disruption. Or, they can suffer that disruption – as one in every two organizations do according to industry data – and pay the average price of USD 10,000 per hour to deal with it.
But how to build an effective OpRes program? Download our guide to OpRes Best Practices to find out.
.svg)
.svg)
.svg)