Watch It On:
Podcast:
Recorded on:
The Data Breach Playbook
February 26, 2025
What actually happens when a business gets hit with a cyber attack? In this episode, we take you inside the chaos of a real-life data breach—breaking down each step from the first moment of confusion to full-blown crisis response. Liam is joined by cyber lawyer Jason from Mills Oakley and cyber insurance expert Andrew from Infosure to unpack how legal, technical, and financial roles come together under pressure. They debunk common myths around cyber insurance, clarify what counts as a reportable breach under Australian law, and explain why early-stage decisions can make or break a business’s ability to recover.
Together, the team reveals the hidden risks most business leaders overlook—like commercial fallout from suppliers pulling out, or the steep costs of trying to fix things without the right cover in place. They also stress that the most effective incident responses are never solo efforts: it takes alignment between cybersecurity providers, insurance brokers, and breach lawyers to keep a business afloat. Whether you’re on the frontlines or in the boardroom, this is the episode every business leader needs to hear before their “what if” becomes a “what now.”
👨🏻💻 Host: Liam Benson – Cyber Strategist, Director, Evolve Cyber
🔗 LinkedIn | Company LinkedIn | Website
Special Guests:
👨🏻💼Jason Simmons – Cyber Law Expert, Partner, Mills Oakley
🔗 LinkedIn | Company LinkedIn | Website
👨🏻⚖️ Andrew Brett – Cyber Insurance Specialist, Director, InfoSure
🔗 LinkedIn | Company LinkedIn | Website
Hello, and welcome to the second episode of the Data Breach Playbook. Lessons for Every Business Leader Today. The episode that we are in is inside a data breach, step by step, destruction from the business. I'm joined with Jason from Mills and Oakley and Andrew from Infos. Welcome gentlemen. Thank you for joining me.
Thanks for having a slam. No worries at all. I really, I wanted to start and just. Get an understanding because from my experience or just speaking with different business owners and, business leaders, everyone's got a different understanding of what a data breach is. I would love, and maybe Jason, this would be something that you can, the lawyer, the most educated one in the room, maybe if you could give us what is a data breach?
What constitutes a data breach? Yeah, sure. Liam. I'm not sure if I'm the most educated person. I just know maybe different stuff than, yeah, lawyers do tend to have a bit of a reputation about being know-it-alls, but I'll try at least at sharing from my experience, what a data breach, and I'm putting air quotes for those listening, not watching.
I think in simple terms as the, as it says on the, can it. A situation where an organisation suffers some kind of incident or event where data that business holds is breached, compromised, stolen, taken, accessed by someone that shouldn't have been accessing it. Stop taking it. And that can be, of course, a criminal, an external unknown actor or threat actor as they can be known.
Or it could actually be someone in your organisation who's done it accidentally. And everything in between. And so the way. The law interacts with a data breach is that in Australia, and I won't bo people with anything other than Australian law. Under the Privacy Act, which was a federal piece of legislation, it says that when a eligible data breach occurs, and that's a defined term in the legislation, you need to report that.
Data breach to the privacy commissioner, and you also need to notify the individuals who have been impacted by that data breach. In other words, people who have had their personal information stolen, compromised access without authority as part of that, that data breach. And so I would say that eligible data breaches are actually.
A much, much smaller subset of data breaches, and that's really important for people to understand when listening to this is that you will need assistance from people like me and Andrew and yourself, Liam, when they have had a data breach. It doesn't, and most of the time it won't eventually be an eligible data breach that requires reporting.
And that's something that most people don't understand until they've experienced it and that's becoming more and more common. But I hope that's at least given people that broad understanding of what is a data breach. Hence, this being called the Data Breach Playbook.
It's a good place to start. Absolutely. No that's great to know and understand because at least again, on my side of the fence of my industry, I. My industry loved to have all these different words and acronyms and meanings and things like that get thrown around. And when they're talking to business owners and customers, they're using all this language.
And if I take my hat off of being, a tech, a cybersecurity guy, and I put myself in the shoes of a business owner, half the time I sit there and go, what does that even mean? So thank you for. Helping define what that is. And it's very interesting too from the legal or the law aspect of what you touched on, I think.
At least me, myself, trying to read and understand a lot of that. It's, it can be very difficult to understand a lot of the government acts and legis not legislation, but just the terminologies and things like that. So that is a great help with that. Completely understand. And look, there's a bunch of other different types of cyber incidents that aren't data breaches as well, that are regulated and require assistance through.
Ransomware attacks is an obvious one. Financial frauds is another is another type of cyber incident that can arise. Not ev, not every cyber event is a data breach. But they do tend to get the most attention, particularly by media because they're the ones that involve lots of people, lots of innocent, individuals, moms and dads who have been caught up in it.
Yeah, a hundred percent. No, thank you. Thank you for that. What I want to do is I want to quickly just run through where each of us fit in the context of a cyber incident and maybe the term that we should be using is cyber incident for that very reason or data breach. Obviously, so I'm from I'm a managed security services provider.
We've got cyber insurance and then we've got obviously incident response and cyber law in the room as well. I just wanted to touch on, where do we all fit in? Because I think a common misconception is which I think was discussed on the previous episode, is, once a, an incident's reported, then, the customer can put their feet up, or sorry, the business owner can put their feet up and go, cool.
All handled where is, and I think in reality there is a lot of backwards and forwards and crossover and, and also even then, I think it's. Important to acknowledge that in, and I think this is what you said last episode, Jason, or you alluded to it, it's, we're not all in competition.
If anything, it's all three working together for the best result possible. In a situation like a data breach, 'cause there's a lot that can go wrong. I'll probably start off first in terms of the journey of, where a managed security services provider fits in. As I mentioned in the last episode, we, I I would say boots on the ground, the closest to the business owner in terms of helping reduce risk and understanding where the environment is at a technical perspective, and then helping relay those risks to the business owner to say, hey.
You don't have multi-factor authentication turned on for everything. Side note, it's 2025 people turn on multi-factor authentication, please. It's 2025. I can't tell you how many times I come across that not being enabled. Side note we work with those business owners to help implement and lift the standard of their systems and their tech to make sure it is secured.
And then, from there. Depending on who you work with, hopefully you work with a good provider and they are recommending to business owners to get cyber insurance. And I think, again, we touched in the last episode, why that's important. But I think Andrew, I. I completely lost my train of thought.
That's fantastic. Love that. Oh, it's hot. It is hot. Okay, so yes, that's what the MSP does and works with and having us in the corner with the the business owner or, the business itself. We are that kind of go-to tech like, Hey, we've got, we do have a cyber insurance agent asking questions about tech stuff.
What do we do? Who do we speak to? No worries. Let's try and have, help, have that conversation and kind of try and translate a lot of the technical terms. 'cause as I mentioned before, there are a lot of technical terms. But yeah. Andrew, did you want to take us through, in terms of cyber insurance, where does that fit in the context of a data breach?
I know we touched on that last time, feel free to run a Yeah, no, a hundred percent. And I think like this, these for business, some business owners, it's so important to put things in analogies. It's liam let's just go crazy here and let's turn it into car insurance.
Liam, you are the one that services the brakes. It changes the tires, gives driver training. You basically keep the car to a point and the driver to, to a degree from having an accident. You are so important because outside of, you know me, you don't wanna have an accident in the first place.
It's very traumatising. It's very expensive process, right? And as Jason said, it could affect someone else. So you could hit someone else, right? You are that guy. I am the insurance to insure the car. Jason is there as the crash repairer or the person who's gonna bring the car back onto the road.
Hopefully you do get back on the road but tow me the towing guy. Yeah. It's almost sometimes in business owner needs to hear that. So Liam's gonna stop me from having an incident or do his best. Andrew's gonna make sure there's enough finances in the kitty so that Jason can do his job.
And I don't, I don't find myself in a pickle that, Jason tells me it's 15 grand to fix the car, and I have three grand. That's how I see it yeah. Yeah. No and you're right. So cyber insurance for me is, it doesn't step on anyone's toes. I specifically, I can only speak for our company we've moved into, and actually Liam, you're a great one for this 'cause you're gonna test to it.
We work with insurers that don't rely on 68 page proposal forms with a pen that seem more like marketing homework than anything else we work with these days, software like up guard. We look at doing external. We can't do any intrusive in terms, but, external threat monitoring vulnerability scanning, things that are moving into the, okay, so what did you do with your client to stop us from having to pay out?
As bad as it sounds, that's what they're looking for. But if it does happen, this is what we will provide. The most important part of my job, to be quite frank, is to set the policy up well enough for Jason to be able to use it. Because if the broker does not set the policy up with the right limits, let's say for argument's sake, you're a 20 billion, $20 million turnover company, someone says, yeah, I'll just buy 250 grand limit Jason, for your size, the size of your company and what it's gonna take.
'cause naturally bigger you are the more data, PIs personally identifying by personally identifiable information records you might have, even down to, and I'll go back to what you said before, there's actually, I look at this, there's three risks to a client having a cyber incident.
There's the government risks, your leg regulations and your sort of things you have to abide by. Then you have commercial risks. So who says. Even if the government said, Hey, you're fine. You don't need to notify us. One of your biggest suppliers might go, oh, you spooked me. I really don't want anything to do with you at the moment.
You have freaked me out. We're gonna hit pause on dealing with you. And they may give you a hundred grand a year of work, they may be your number one supplier. We've had in cyber incidents where, we've had to have people go in and negotiate with a supplier because they're threatening to.
Kill a contract because that's fine, the government's not involved, but the commercial risk is someone in your supply chain goes, yeah, I just, this has freaked me out. And then of course the third one is you just run outta money. Like you just run outta money. I think there's government risks, there's commercial risks, and there's straight financial risks.
We're only as good as our cybersecurity partners. And to be quite frank, I'm only as good as understanding the business enough to know how much money they need in their bucket so that when Jason needs to use the bucket, it doesn't, it doesn't run out because it, it can, and Jason will touch on this, there's things people have never thought of.
That they're gonna have to pay for a cyber incident or data breach regardless. And these are things that I know like the back I learn every day, but we do know enough now to say that we know it at the back of our hand. So yeah, that's our role in it and to be quite for as soon as the incident happens.
It goes straight up to you, Jason, so I'll move over You. Yeah, look. In terms of I guess Liam, the overall picture of how we all work together, I think cyber insurance is a very unique insurance product in that it instantly. Engages cover or so, I know Andrew was, there's a few exceptions with, notice periods and with different coverages, but not to get too complicated, the policy engages straight away.
An organisation suffers a data breach or some other kind of incident and they notify their insurer and it goes through their, into their incident response team. You're on a triage call within a very short period of time with experts to help you compared to other types of insurance where, PI is nothing like cyber insurance, but yet people sometimes rely on it as a, as cover for cyber incidents, but it's not engaged unless someone sues you.
So that doesn't happen. Nowhere near that. We've just found some suspicious activity on a, on it network. And then when we're talking about, scenarios when we're comparing the home insurance or the car insurance, it's not a perfect fit because it would be li we know there's been an accident, we know there's been a fire.
Cyber insurance actually engages where you've had a suspected data breach or a suspected. Cyber incident, you actually don't know yet exactly what's going on. And so you get access to a forensic expert, who can, get into your network, look at logs look at the evidence to decide is this something we need to worry about or is actually, are we looking okay?
Can we actually just move on? And it's not as bad as we initially thought. I guess it'd be like. Being on its way to the telegraph pole. And you get to call your insurer when you're about to hit the pole and just say, look, I think I'm gonna have an accident. Can you help me? I actually, we think you're gonna miss.
It's gonna be okay. Don't worry about it. Oh, now I've incurred these expenses. Don't worry, we're gonna cover them anyway. And off you scoot down the road, heaven forbid you actually whack into that poll and they're therefore you as well. So that's, I think, a common misconception with cyber insurance is that it's not like others where it requires a proven event or a claim against you.
It is a responsive product where suspicion alone is enough. Yeah. Yeah. Great. Really great. And look, I think, the, I'd love to play out a, an example or a scenario where. A cyber breach would happen to really understand where and how this all kind of fits together.
And I think typically, it can start any which way, but typically from my experience and I'm sure your guys' experience as well, it'll normally start off with a call from a business to someone like myself, Hey, something weird's going on, or Hey, we've, the classic one actually is, and I remember getting this call, Hey, Liam, we're.
We're seeing, we can't open any documents on our server. Can you jump on and have a look? Yeah. No worries. Jump on in. And then you see the file change to sales contract encrypted. And you're like, okay okay, there's an issue here. All right, let's jump on the phone and get cyber insurance involved in one way or another.
And then I think from there, to be completely honest, I don't actually know what really happens from there. I normally wait for a call back from someone, say, Hey. There's been a report of something, which is ironic because in the, let's expel a myth right here. Most of the people I speak to from the IOT and cyber world are, oh, first the thing the insurer will do is look how to not pay the claim.
So they'll pull out the proposal form with a pen and start going, how do we go through here and find out that you ticked, X, when you should have ticked why? It's just not, it's just not, oh any policy we set Jason and I work on, usually it's just not the case. Yeah. Yeah.
Yeah, look where it goes next. Liam and I and I've had, the chance to work with some great MSPs where yeah, you often are the first port of call because that's normal. Like you have the contract, the active. Contract where you might be providing day-to-day services, or you might be providing some, more reactive, bespoke kind of things where, you get a call and you help out an organisation.
So you might get a call when they, something weird's going on. And so then, you may ask, do you have insurance cyber insurance? And if they say, do, who's your broker? Call your broker. Hopefully that retail broker then knows the process from there. And, commonly across.
And there's, there's alar, there's a large number of insurers in the Australian market. But generally speaking, they have a protocol which requires a phone call to the incident response organisation. It's commonly a law firm, but it might also might be a forensic.
Cybersecurity company or some kind of specialist IR firm. And they then literally, interact with the insured as soon as possible, as to what's happened. And it's a discovery exercise. It's, what do, what's happened. And the calls that my team take, we are asking lots of questions, trying to find out what we can as quickly as we can, and seeing whether we need to involve other experts or whether it's something that we can.
Deal with our ourselves for them. And then through, through that triage process, because we're on an insurance panel. The beauty that also provides to the insured is that they don't have to worry about updating, the broker and the insurer from that moment on. It's not a case of, oh, now I've got, be writing emails every day. This has happened. This has happened. That's part of my job. He's actually then keeping the insurer updated as to what's going on and the costs that are being incurred. And the only thing that we ask of insureds is just to be available to be on, meetings and provide information that we need or interact with you as an MSP or, the security forensic people that might need to dig a bit deeper just to be, willing to be involved in that process.
And, of course, provide instructions at. Critical points in time that may be are we, do we need to notify the regulator or people? And we'll advise on that. And we need instructions whether to do that from the insured as well as the insurer, and then other, different, more commercial decisions because where the law is at in Australia with regards to the notification of data breaches is that there is, a lot of instances where one organisation might decide, I want to notify this, two people impacted, and another organisation might decide, I don't want to, and both are correct and haven't done, the wrong thing. And that may sound strange, but that's because the wording of the legislation that is used to require people to notify is subject to interpretation.
By lawyers like myself and getting instructions from organisations and opinions may differ. And also organisations risk appetite or desire to want to tell, clients and staff that this has happened can vary substantially. You've got organisations who will do anything to not notify. As long as they comply with the law.
Then you've got the other organisations who are just chomping at the bit. I've just gotta tell my people, I've gotta tell my customers straight away. I'm like, you don't need to mate hold fire. It's okay. It's no, I really want to, I think they'll appreciate the transparency in it. It's okay, let's do it.
Yeah. And just with what you were saying there, is it I guess this is expelling another myth, once, once yourself would potentially get involved in a situation like that. Is it pretty much just, that at least from my perspective, MSP just puts the feet on the desk and says, call the guys are handling it.
I don't believe that's the case from the experiences I've had, it's been quite collaborative. Is that what you've been seeing and have experienced. Oh look, I'm sure you won't be surprised. There's some, service providers that aren't as collaborative as others.
That's the, that's human nature because it can be quite disruptive to their business as well if they're involved innocently as a service provider to an incident involving one of their clients. So we try and work with an MSP or IT service provider in a way that, is.
It's just getting what we need, getting the access we need information as to what the, around what the environment's looking what investigation have they undertaken? What mitigation or remediation steps have they already taken? Has there been any history that might be relevant?
Things like that. We don't wanna overwhelm them, we appreciate it's not their job to be, forensically investigating and representing. But I've. As I said, I think it's just getting better and better. The more we get to work with MSPs on incidents, the more we can do a, a great job for our common client because absolutely, as I think as I said in the first episode of the pod, our main game is to get the business up and running again and complying with the law and the service provider is a big part of that.
Yeah. Absolutely. Got any thoughts on that, Andrew? Naturally. Jason? No. Jason's incredible. He is, honestly I think this is what I love saying to my prospects is we don't just sell policies. We speak to the people behind the policies, whether that's the insurer writing it or people like Jason who are responding, which to be quite frank, I think is missing in a lot of cyber insurance conversations.
But no it's fascinating to hear, I won't name names, I'm not allowed to. But to hear someone from the business end who was involved in a breach and they said the most crucial thing for us, 'cause they had a board, was our breach coach, which as Jason will testament, it's someone to go, the client was saying.
We want to go left. The breach coach was going, look, that's an option, but I'm gonna tell you four steps down the line where that may screw you over. I'd like to give you some feedback as to where I would take that. And the board's going, oh, we didn't even think of that. And they just said it was nice to have a, before we go.
What we're hearing with people who don't have any instant response help or don't even have a plan, is that everyone's running around headless choke. Everyone's blaming each other. All of a sudden, the council's yelling at payroll, payroll's, yelling back. Everyone's, this is your fault.
Now this is your fault. And to have a, someone in the room, it's no one's fault. We just need to work out what's going on. Which, that's a great point. My, my job, my sole job is two things. One, to have conversations with businesses to know they need cyber insurance. And two, to set the policy so that Jason can do his job.
Now, your job, Liam, is to prevent the incident. Do everything you can with that client to do that, right? Yeah. So it's this collaborative approach. I think the whole point of the pod, and we're gonna further episodes or series down, we're actually gonna have some stories around, what's happened and I just want people to think about as the pod goes on.
What am, what am I gonna do at the moment? What do we have in place? Because as we said in episode one, no one's, no one goes through a list and goes, company's too small. Oh, that's good size. No. Yes, it is just straight opportunistic out there. It's, let's just go in and have a look and we'll steal what we can.
As you say, there's, there's small homes around the country that have, very expensive things in them, and then there's massive homes that have very, not really much. You'd go in, you go this. Pretty boring and so this is what's happening out there. So yeah the collaborative approach of the three of us, I think is really gonna stand out in this over the next few episodes as well, because these are real, this is real.
This is, it's been real for a while. And the more that, sorry, I will fi finish with my spicy sauce, the more that it cyber and insurance fight, the less business owners are gonna get. Because it's like politics. It's just like politics. If we sling Monday each other, nothing happens. I think that's my main mission is that I've got, I've got a big network. I've been around for a while. I've got situations where everyone's humming along and the client loves it because they know they've got this team. The MSP or the MSSP or everyone's cyber insurance go, we're all the same calls like we're doing now.
We're all in the same call going, okay, that's not my area. You do that, he'll do that. I'll make sure I'm there for that. And the client's going, this is fantastic. This is awesome. I'm gonna actually, I wanna do what I do in my business, which is a hundred percent, which is great.
But yep that's my thoughts. Yeah. It's an excellent dawn. We actually both want the client to still exist after the incident. It's not good for anyone's business. If the client goes under it doesn't matter how great their security was or what contract you've got with them that's then null and void.
Yeah, look, I agree with you, Andrew. I think collaboration is the word this year between insurance, cyber, legal who work in that space, government. I'm seeing that at, some of the events that I, I'm a part of where, the different sectors come together because I'm sure you detest Liam.
Cyber's been getting together for decades for awesome conferences. Andrew and I, we've just jumped on the bandwagon the last number of years and realised how cool these conferences are. Hopefully you continue to welcome us and because. It's great to continue to, meet more people and all the work you do and all the fantastic experts across the industry.
'Cause we're not trying to cut grass here. We're just we're trying to help out clients in our particular part of the service pie. Yeah, absolutely. And I think that would be, if I was to sum up the key takeaway of this episode as we bring it to a close, I think that's the biggest thing is collaboration.
Egos aside, when you collaborate, it really just becomes the best result for the business, and you've absolutely hit the nail on the head there. Jason. At the end of the day, if an incident happens, everyone's goal should be for that business to continue operating. And have the least amount of impact in place.
And I think that's really important to, to end on and to think about over time because yeah, you're right, J Andrew it's so easy to get into mud slinging. But that's just not productive for anyone. So I think this is gonna be a great podcast. I look forward to the many more episodes to come.
I thank you both for being here and contributing. Join us next week for episode three where we will dive into what a breach coach is in particular, or not ne well in particular. As well as incident response and how that all pieces together. We'll be delving into that. So thank you for joining in, and we'll see you next week.
Thanks everyone.
