In February 2019, LandMark White (LMW), Australia's largest independent property valuation firm publicly announced that a key online platform had been compromised and third parties had accessed over 100,000 records including property valuations, information of borrowers, lenders, homeowners and property agent data.
LMW suffered severe financial and reputational harm because of the incident. The matter provides an important case study highlighting the need to proactively manage security risks, to avoid the catastrophic impact data exfiltration events can cause.
The means of compromise, somewhat surprisingly, was not due to a sophisticated attack. Rather, it was attributed to a basic failure by LMW to enforce authentication requirements for API connections to the valuation platform. The nature of the vulnerability has led to significant public criticism of LMW, given it is a commercial entity listed on the Australian Stock Exchange with around 400 staff across more than 40 offices and forecast financial year revenue (before the incident) of $55 million.
There are a number of key learnings companies can take from LMW’s situation, to improve their own cyber resilience, and reduce the likelihood of suffering a similar experience.
Rethinking an organisation’s key assets and data
Deciding when and how to prioritise information security funding is an acute challenge, given all organisations have limited resources in terms of time, head count and financial capacity.
Many companies have moved beyond the traditional mindset that data security is an IT problem, rarely examined across the whole enterprise, and a potential drag on revenue generation. It is generally accepted that cyber security is critical for an organisation’s wellbeing because a compromise or loss of key systems can cause immediate financial and reputational harm.
Many companies adopt strategies which focus on identifying key operational data and systems, and putting in place layered security around these crown jewels. The LMW breach highlights further analysis is needed to examine exactly what key data a business relies on, what data is sensitive to the organisation’s stakeholders and how a system compromise could harm the business’ clients.
LMW’s valuation platform has been described as being used primarily for external staff access which, at first blush, may not seem an obvious business critical system. The platform however stored important data to LMW key clients, who immediately suspended LMW from their panel of valuers after the incident. LMW has estimated the suspension will cause a financial loss of $7 million in the current financial year.
To identify consequential risks such as those faced by LMW, organisations should carefully examine how data breaches impact clients and stakeholders, and the potential harms data subjects could suffer. This requires a cross-functional approach, drawing together different business units. Organisations seeking to learn from LMW should also develop loss scenarios for potential incidents that consider both enterprise and technical implications. Using this method, spending on the true key systems and data can be identified and mapped out.
Internal cyber governance
Reports in the Australian Financial Review suggest at least 15 people across LMW’s team of IT staff, contractors and senior management knew of the vulnerability in LMW’s platform before the incident. While the facts about the incident are not known, this could suggest a breakdown in internal reporting, and the way security concerns are communicated and acted on by management.
In some organisations challenges arise because cybersecurity governance is not aligned to other organisation-wide risk processes and procedures. Increasingly, specialist functional groups are established within organisations to monitor and address data risks and to provide clear accountability for reporting and escalation of security concerns. To provide the most benefit, these specialists groups need to work closely with information security staff, as well as operational, legal and risk teams.
The Australian Securities and Investments Commission (ASIC) has repeatedly stressed boards must take ownership of cyber strategy and ensure a strategy is reviewed on a periodic basis to assess progress against the success measures it outlines. LMW may be subject to future examination about its level of board engagement for cyber security around whether the board regularly examined information security processes, measures taken to detect vulnerabilities, speed of response and strategies for recovery.
Resilience and recovery
It has been suggested LMW received warning through email and social media that its data had been compromised in late December and early January, however these were not acted upon. A key focus for resilience strategies is ensuring potential warnings (even if they may just be spam) are reported and analysed so that any suspected incidents can be triaged immediately. Scenario testing is also critical so that it is clear who within the organisation will have responsibility for decisions, and how the company will act during the time-critical crisis period when an incident is discovered.
LMW’s situation also highlights the importance of comprehensive cyber insurance cover. This requires obtaining a dedicated cyber insurance policy, as opposed to seeking cyber extension in other traditional insurance products such as property, management liability and crime. Cyber extensions typically only provide base levels of cover and are subject to stringent conditions and definitions.
Assuming LMW obtained appropriate cyber insurance, it will be entitled to recover the immediate costs of investigating the incident, retaining independent legal and forensic assistance and for providing notification under the Privacy Act 1988.
Leading cyber insurance wording will also cover business interruption and reputational harm loss suffered as a result of a covered cyber incident. LMW estimated financial loss of $7 million can be covered by these insuring clauses. It is imperative however that organisations carefully examine cyber insurance business interruption wordings, and work with an expert broker to craft appropriate cover given the covers are relatively new and can raise complex issues around whether loss is directly or solely caused by a covered incident, how indemnity periods accrue, how supply chain partners actions are treated, whether mitigation steps taken by the business impact cover, and how commercial actions taken by the organisation will be treated.
Focusing on the real third party risk
While it has become common place to hear of stories of million dollar litigation brought against overseas companies following a data breach, the truth remains that Australia is a more conservative litigation environment and to date there have been few court proceedings instituted because of data breaches. LMW demonstrates though that substantive third party concerns can still arise for Australian companies.
The contractual obligations between an organisation and its clients or suppliers often include warranties regarding the availability of services, apportionment for how costs of a breach will be managed, provisions regarding the suspension of services, and potential indemnity clauses where sensitive and confidential information is lost. These key terms should be closely examined both in terms of how they can create legal exposure and the steps that will be imposed on the company when a breach arises.
Australia’s regulatory environment has also become more active and privacy breaches can increasingly require organisations to manage investigations from multiple sources such as the Office of the Australian Information Commissioner, ASIC, and industry-specific bodies.
LMW also highlights potential risks that listed companies face under the continuous disclosure law. Following the announcement of the breach, LMW’s share price dropped by almost 50%. Given the suggestion that prior knowledge of the vulnerability existed with LMW, it is possible shareholders could pursue an actions focused on any potential failure to comply with LMW’s continuous disclosure obligations.
The ultimate outcome for LMW will depend on what happens in the coming month and potentially years. While it seems clear the business will recover, both the immediate and long term harm which has followed the breach provide a clear warning for other organisations, and lessons around how to improve their own cyber resilience.