This health insurer just shored up its cyber security
She listed some important lessons from Australia’s recent cyberattacks, including: “How quickly you need to respond, how valuable security measures are and how important it is to keep building resilience so that you can operate whilst under attack.”
Read next: Medibank digs into recent cyberattack
Allen, who studied cybersecurity and spent nearly two decades as the Commonwealth Bank’s cloud application governance manager, was in charge of her firm’s tool launch and security upgrade.
“We wanted total assurance that when we went live with the new tool that we weren’t going to run into any security issues and that it was fully locked down,” said Allen.
She said maintaining trust with members about securing their personal data is “essential.” Allen said the main challenges involved establishing strict assurance of cybersecurity and privacy protocols and finding a provider that would conduct penetration testing from within Australia.
“It’s really important to us that the pen testers themselves are in Australia for real-time reporting,” she said. Pen or penetration tests are where a team of expert hackers use their IT knowledge to identify, locate, and exploit any potential vulnerabilities in a website and computer system.
There’s also the ongoing challenge of compliance obligations. Since 2019, all financial services firms in Australia are required to be CPS 234 compliant. This APRA (Australian Prudential Regulatory Authority) regulation requires organizations to strengthen their information security framework. One main focus is clarifying the roles and responsibilities of third parties with access to data and information.
Westfund are also adopting the ISO 27001 framework which is regarded by IT experts as the leading international standard focused on information security. The standard is published by the International Organization for Standardization (ISO). Allen said this framework closely aligns with CPS 234.
“The challenge with both choosing a high standard framework and also having to comply with CPS 234 is reviewing your policies and processes to ensure that they align with the ever-evolving threat landscape,” she said. “We also need to keep reviewing our controls testing to make sure it covers all attack surfaces.”
Westfund chose Australian firm, Sekuro, to help take care of cyber security and the launch of their member tool. For Allen, one key factor in the decision was Sekuro’s penetration testing.
“The end-to-end process was great, we were particularly happy with the amount of engagement and contact that we had with the Sekuro during the test,” she said. “We also really liked the way their report was designed and easy to understand.”
According to the Australian Financial Review (AFR), Sekuro, a cyber security consultancy, was formed last year through the merger of IT firms Privasec, Solista, CXO Security and Navir.
“They set themselves a high standard,” said Allen.
This month, the federal government also said it’s committed to better protecting local businesses from cyberattacks. The Australian Federal Police and the Australian Signals Directorate are starting operations to investigate and disrupt cybercriminal syndicates.
“Cybercriminals will be hunted down and their networks disrupted,” said a government media release. “It sends an important message to criminals and hackers intending to do harm – Australia will fight back.”
At Medibank Private’s annual general meeting on Wednesday, chair Mike Wilkins opened proceedings by addressing the cyberattack on his firm.
Read next: Australia blames Russians for Medibank data breach
“This cybercrime event is unprecedented,” he said. “It has caused distress and concern for many of our customers, our people and for you, our shareholders – many of whom I know are also customers.”
Wilkins said “there is no doubt” that the crime is having “an enormous impact”. “This is a shocking crime – the size and scale of which we have never seen before,” he said.
Wilkins said his firm has commissioned an external review by Deloitte.
“This review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers,” he said. “We will share the key outcomes of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.”
He said the cybercrime has “understandably overshadowed” many of the health insurer’s achievements in 2022.