The real impact of cybersecurity breaches on customer trust

Cybersecurity landscape

Australia is facing an unprecedented volume of cybersecurity attacks. We are getting used to news and headlines that inform us that our passwords have been breached, identities have been stolen and personal and health information has been leaked and misused. The objective that all attackers are pursuing is very simple: sensitive data. The more the better.

Optus and Medibank were some high profile breaches in 2022 to remind companies of their responsibility to secure and protect customer data and Personally Identifiable Information (PII).

Regulation and mandatory disclosure requirements

Regulatory bodies such as Australian Prudential Regulation Authority (APRA), Australian Securities and Investments Commission (ASIC) and the Office of the Australian Information Commissioner (OAIC) have taken action to require companies to notify customers if their data has been subject to a breach. This can help customers to take reasonable measures to protect potential flow-on effects after cybersecurity incidents and to prevent further harm. In instances where mandatory disclosure requirements are not complied with, hefty fines loom as a threat to companies that fail to exercise adequate due diligence when handling and securing PII

Impacts of cybersecurity incidents
When analysing a cybersecurity incident, we generally observe direct and indirect impacts:

1. Direct
   Remedial costs - remediation of the incident and restoration of systems and services to an operational state. For example, in the event of a ransomware attack, or an impairment of the production environment. Remedial costs can include specialist third parties to support restoration procedures or conduct forensic investigations.
   
   Lost productivity - impacts to operations due to unplanned outages or downtime, which result in top- or bottom-line losses.
   
   Regulatory & fines - punitive fines issued by regulators for the lack of protective measures of critical information such as PII or system of records.
2. Indirect
   Reputational - loss of customer trust and confidence in the service provider having adequate measures in place to protect data and information. This is often partially reflected in the share price of the entity (where publicly listed) and can adversely influence customer sentiment.
   
   We are starting to observe that cybersecurity breaches that are publicised, particularly through mainstream media channels, eventually reduce customer retention and revenue growth.

Customer churn & retention

Customers have the expectation that their information and data is managed in a secure manner and protected from unauthorised access. But how willing are customers to exit contracts and move to other service providers, in instances where their personal data has been exposed and exploited? Based on our analysis of the ANZ market, we are observing that in mature industries where there is high regulation and high competition, the presence or absence of trust can make a meaningful difference to customer retention.

Case Study

Latitude Financial Services
On March 27, Latitude Financial Services, a company that is leading in digital payments, instalments and lending, confirmed that criminals had stolen 14 million customer records, with a large portion dating back to 2005.

The data that has been exfiltrated included names, drivers' licence numbers, addresses and dates of birth that were compromised in the breach, along with thousands of passport numbers.

In a filing with the Australia Stock Exchange (ASX), Latitude estimated the after-tax losses of the breach at ~$105m AUD . This amount does not include regulatory fines, class actions or insurance-related costs.

For reference, Latitude claims the costs for containment and remediation of the breach add up to approx. $7m AUD to date with additional $46m provisioned for future costs.

Consider this breach in light of previous recent cybersecurity incidents: based on prominent examples such as the Optus breach, we expect a loss of customers moving forward. In Optus' case, the breach led to a significant drop in net subscribers, which took until the end of the calendar year to return back to a customer-positive position. With regards to Latitude Financial Services, we are able to expect further indirect costs through loss of customers

The increasing challenges of cybersecurity in the enterprise

How can companies secure their information assets to ensure sustained customer confidence? The approach starts with the brilliant basics – focus on strengthening the systems that are managing PII and sensitive customer data. This ranges from data stores and covers backups and recovery mechanisms, and even local copies of customer records that may have been mistakenly stored without being encrypted.

Cybersecurity practices can be fairly prescriptive with detailed controls, structured within the context of capabilities. There are different frameworks detailing both preventative and detective controls. A common example is the discovery and remediation of vulnerabilities of publicly exposed resources. Nevertheless, technology advances at a rate that poses challenges for the usual cybersecurity practices to keep up with whilst still adding the layer(s) of protection required to maintain confidentiality, integrity and availability.

Cybersecurity professionals generally refer to 'Defence in Depth' as an approach to secure multifaceted environments. This refers to aggregating additional layers of protection to minimise both impacts and likelihood of cybersecurity breaches.
To demonstrate the challenges that cybersecurity professionals are facing on frequent basis, we have outlined some recent examples based on our experience with clients in the industry.

Artificial Intelligence (AI)

The engineering teams are leveraging AI that needs to be trained constantly to detect changing patterns for the profiling of customer behaviour. The non-production environment is therefore proliferated with production data for training purposes (e.g. customer transactions). Generally, it is considered better practice to ensure that controls in the non-production environment match the controls of the production system. This is an additional challenge considering complexities such as superuser access and segregation of duties across different environments.

To secure personal information, organisations can choose to strengthen security detection and response solutions, deploy additional security controls at the perimeter or streamline access controls (for both users and other applications and services) to protect sensitive information.

Data Stores

Consider this hypothetical scenario: as part of a large digital transformation program, a new Enterprise Resource Planning (ERP) solution is implemented to consolidate multiple data stores, such as Customer Relationship Management (CRM) platforms, warehouse management solutions and third-party inventories (both on-prem and in the cloud). The data stores contain sensitive customer data. Whilst the data is fragmented, the real value becomes apparent once data gets aggregated to deliver full PII and customer records. To add additional levels of security around sensitive information, you can decide to increase infrastructure security (e.g. network, perimeter, etc.), or to perform a programmatic data discovery exercise to identify sensitive information within the environment that is not accounted for.
The identification of sensitive information across both structured and unstructured data sources impacts cybersecurity considerations - in short, you cannot protect information you are not aware o

Application Programming Interfaces (APIs)

Another hypothetical: as part of a digital transformation program, technology teams are implementing APIs for high risk, high volume transactions to enable efficient integration between services to improve the overall customer experience. A major challenge with the securitisation of APIs is the identification of vulnerabilities - this is due to the fact that exploiting APIs requires contextual information of the application and data in scope as opposed to the traditional approach of scanning open ports and identifying/remediating vulnerable software. APIs are fundamental to the concept of automation, and their usage requires a new approach to security in order to facilitate communication between applications and services.

To secure API calls you can increase security controls at the perimeter to prevent unauthorised access from outside the organisation, or leverage concepts such as tokenisation or just in time credentials. This can help in protecting the exchange of information between applications, or to ensure that API calls are authenticated.

The examples above demonstrate the challenges of securing information and data when leveraging digital and emerging technologies. In these cases, leveraging traditional frameworks and approaches for managing cybersecurity may not suffice to protect sensitive information from unauthorised individuals.

Trust as a key Unique Selling Point in highly competitive markets

Service providers and companies that manage large amounts of PII are in scope of targeted campaigns by malicious actors, leveraging carefully crafted social engineering and other techniques, e.g. supply chain compromise.

Cybersecurity is by design policy and framework-driven and adds preventative and detective controls, leading to better practice frameworks and approaches. However, the recent breaches have demonstrated that there are requirements to break down policy and frameworks to a more granular level and look behind the usual Essential 8. Whilst frameworks are comprehensive in nature, the technology landscape evolves at a rate requiring additional controls and approaches to protect customer information.

When quantifying the actual cost of cybersecurity, we observe the following: where service providers have been breached and customer data has been stolen, customers are willing to leave in favour of a competitor. This applies in particular to markets that are highly competitive and where a change of providers seems seamless. We are posing the hypothesis that, on the flipside, customers are willing to stay with a service provider that can secure their sensitive data and continue to earn their trust; specifically in the case where service providers make data security a visible and fundamental part of their service offering.

Building a business case for cybersecurity investments is always a challenge. However, it's increasingly evident that failing to invest in cybersecurity has consequences in top line growth.

Disclaimer - this assessment is not representative and considers an amalgamation of insights across communications, media & technology companies. For simplicity in this article, data points are aggregated.

Written by: Shashi Samar – Partner, Infosys Consulting