Watch It On:
Podcast:
Recorded on:
The Data Breach Playbook
March 4, 2025
The Breach Coach: Your Secret Weapon or Just Another Cost?When a cyber attack hits, the clock starts ticking. But what happens next—and how much damage your business takes—often comes down to one key player: the breach coach.
In this episode, Liam from Evolve Cyber is joined by Jason Simmons (Mills Oakley) and Andrew Brett (Infosure) to unpack the critical role of a breach coach and why they might be the difference between a controlled response and complete chaos.
When things go sideways, do you have the right person in your corner? Or are you setting yourself up for a legal, financial, and reputational nightmare?
👨🏻💻 Host: Liam Benson – Cyber Strategist, Director, Evolve Cyber
🔗 LinkedIn | Company LinkedIn | Website
Special Guests:
👨🏻💼Jason Simmons – Cyber Law Expert, Partner, Mills Oakley
🔗 LinkedIn | Company LinkedIn | Website
👨🏻⚖️ Andrew Brett – Cyber Insurance Specialist, Director, InfoSure
🔗 LinkedIn | Company LinkedIn | Website
Hello and Welcome. It's Liam here from Evolve Cyber. I'm joined with Jason Simmons from Mills Oakley. And Andrew Brett from Info Shore. And we are back for episode three. Welcome gentlemen. Thank you so much for joining. Not a problem. Pleasure Liam. Good to see you mate. Yes, absolutely. And so today we are discussion, oh my goodness.
Wow. Discussing, we are discussing the topic of a breach coach and incident response and how these two roles work together in the context of a data breach. So I guess the first burning question, which to be completely honest, I. Didn't know this for quite a long time and I think it's not quite well known as well, is first of all, what is a breach coach and what is the role and responsibility of a breach coach?
Yeah, I'm happy to jump in there. Liam. A breach coaches in short cyber lawyers trying to sound a little bit cooler in that, they, they can be called coach. Look, it's probably a title that's actually come out of. America where data breaches have probably been managed for a lot longer than in a, in Australia, under legislation.
And so we really adopted that terminology in Australia probably about a decade ago. And what it essentially means is a lawyer who specializes in advising organizations through a data breach. The different legal requirements maybe in terms of reporting to government agencies, notifying individuals and everything in between.
And because of, the nature of the term data breach, someone, I don't know who came up with the term bridge coach. And we coach clients through the process, and you can follow that, that title through into, we train for incidents, we have a team of people that respond to the incident.
So yeah, as I said, we're trying to be a bit cool and what we are by associating ourselves with sport, which is probably an Aussie thing. We really associate everything we do to sport if we can. Yeah, I'm a breach coach for a job. That's great. I do think I mean if. If you were to look at a data breach and really the breach coach is that kind of glue, that kind of holds everything together because yeah, when a data breach is unfolding, typically the people that come to you are like, oh, we dunno what to do.
So it makes sense that it's the glue that holds everything together. I know that you might have touched on it before, but in the context of potentially someone who is uninformed let's say I, I was gonna say run an accounting practice, but I, that's probably not accurate.
I wanted to throw out a scenario there where it's if I'm. A business owner doing my thing. Let's say I'm a property development company and I have a breach, how does, why is it important to have a breach coach in the context of a breach? Now, I know I probably touched on it before, but really if I'm uninformed, why?
Why is that important to me? O of course. And so in this scenario, a property developer's probably not an expert in privacy law. They're probably, they may or may not have internal cybersecurity or it services. Having someone like yourself within the team might not be the case.
And so it's important for them, right from the first moment that they did. Learn of this, of a data breach or some other incident that they're led down the right path. 'cause you can go down the wrong path very quickly. You can quickly find yourself not complying with relevant laws. You might have stakeholders, customers, staff quickly getting annoyed with how you are responding to the data breach because you just don't have that internal capability expertise to know what to do.
And so my job is to co come in often not really knowing anything about the organization unless we've met before and done some training, but often it's not the case. Learning about the incident, learning about the organization, the people, the team as quickly as possible so we can, I think as we said in episode one or two, and my main game is actually to get the business up and running as quickly as possible. Minimize disruption to the business, help them continue to, sell properties or develop properties and, not make stakeholders annoyed and comply with their legal obligations after that.
Yeah. Perfect. No, that, that's, yeah, that's great. And your. Comments at the start of that, if I'm a property developer, not skilled in privacy law, most likely not. 'cause I've tried to read the Privacy Act and I gave up, so that's why have professionals. Look, and the, and of course, within larger property developers and my firm act for many of those.
There's fantastic general counsel, in-house counsel, legal teams running the day-to-day business of of the property developer. And they would know property development contracts better than me. And so I'm not there to come in and tell them how to do their job, and I've gotta.
In larger organizations, they're probably gonna have a solid understanding of privacy law, having had to have their own privacy policy or different procedures in place to deal with their own day-to-day business. But when it comes to the notification laws, when it comes to the cybersecurity legislation now, if in some way they're, they're associated, with other significant organizations that are gonna expect them to respond very professionally and quickly, they're gonna need a specialist. And that's what we're about, maybe if we take the breach coach analogy a bit further, you've got the coach, the normal day-to-day coach on the sideline.
Maybe we're like more the special teams if we're thinking American, NFL for a second. Where you come on for a particular play. That's really what we're there for. We're coming on to try and deal with a particular situation. We come in for a period of time and then we get.
Back off the field. And if you want to use this again down the track, then we're there for them. Yeah. No that's great. I love that analogy that, that makes so much more sense. Now, I'm gonna throw a bit of a spanner in the works here a little bit. And again, sorry Andrew, if this question is really relevant, but again, putting myself in the mind of a a business leader or someone who is learning about all of this the first time, do most, and again, you might not know and that's okay.
Do most cyber insurance policies include a breach coach? Or how could a business leader ascertain if a breach coach is gonna potentially be involved in their cyber incident from a insurance perspective? I hope that question makes sense. No, it makes a lot of sense. And I think this is what people should understand too, because I think in my experience in cyber insurance gets painted with the same brush, but there are almost 35 providers in a, in Australia of cyber insurance now and all, majority of them will use a different.
Service. So Jason is obviously from Mills Oakley, but then you've got Canopius, you've got Gliding Co, you've got internal, some insurers actually have their own internal professionals that they will staunchly use. Yeah, so you can't, again, this goes back to the whole sort of web of cyber insurance.
You hear some people say, oh, especially in IT and cyber, again, sorry to pick on them, but they're like, oh, I know this about this thing. And you go, how? How do you know if there's 35 policies with 35 different scenarios? How do you know? 'Cause I'm in the industry and I barely know and I know a lot, but I would never handle heart.
Say I, some of these guys are more, more confident than me and I'm like, this is fantastic. It's one of those things. So yeah, I think this is where it goes back to who you're buying your cyber insurance from. So just 'cause someone's a broker doesn't mean they understand the product.
Now, what we like to do, what we did in infrastructure was the first thing we wanted to look at was. Not the actual policy schedule, but who was behind the incident response. And that's actually how I met Jason, because I wanted to know who was gonna respond on that policy. Because Jason will happily say he doesn't work for every insurer.
So there's some insurance policies you won't get Jason. Now there should be an element of Breach Coach or it, it might be called Instant Response Services, but you really do need to know who that is. So who are you buying it from? It depends on who you get. And I think it's a fair question.
You ask your broker, who's my instant response team? Who am I actually gonna be dealing with when this happens? And there is nothing in, there's nothing that if you are, if there's no question. That shouldn't be, that shouldn't not be answered. I'll get that. Shouldn't not be answered before you purchase the policy.
Because I see a lot of policies where people have, or businesses have bought them, but they wouldn't have a clue how to use them. And to be quite frank, it's just as, it's almost as bad as not having one. Because little things in don't call, I always say my clients don't call me. There is a number that will go straight through to 24 7 hotline.
And if you were to call me, you'd just be slowing down the process. And I can confidently say about what, who your incident response is going to be, what services you're going to get from them. Now, in saying that long-winded novel of an answer, yes. Most policies should have some sort of breach coach service in them.
Yeah. Yeah. Yeah. Great. No, awesome. Awesome. That makes a lot of sense. And again, as we're going along, I'm also picking up things here and there and what you just said Andrew, about, not knowing what's in your policy. I'll be the first one to admit, again, I look at some documents, I'm like, what does this even mean?
So it's yeah, I think that's the hard part. It's saying, we all have a car, but if I have a Nissan and patrol and you have a Toyota Land Cruiser. They're cool. They're both four wheel drives, but they're very different quirks and features. Yeah. Yeah. And going back to what we said in the previous episodes, is making sure that you've also, when you're conducting reviews of your insurance policy, you've got someone who can advise on that.
'cause that's important, who's legally can advise on the policy to help you understand that. No, that's great. Now look, I threw this question in 'cause I wanted to see what kind of response it gets, because again. Putting myself in the shoes of someone who maybe doesn't know a lot about this. Let's say again, going back to that property developer scenario, Jason and Andrew, if I've got a cyber incident response plan does that mean I'm all good?
I don't need a breach coach. I don't need all these different things. I'd say the opposite. I'd say that because you've recognized that you need a incident response plan, you recognize that you'll need someone to coach you through that plan. Now, if in the preparation of that plan you've engaged with Andrew and through the insurer that you've gone with, you've met with your, the breach coach that insurer is gonna provide you with, I'd strongly recommend that they be given a copy of that plan in advance, and that you actually have a meeting to run through it at least at a high level, if not a simulated exercise. So that then when the real thing happens, they then coach you through that plan in, in a real life scenario.
So that would be. That would be what I'd think. Maybe that goes completely against what people's general understanding is. I've got a policy prepared and we spend all this time, we don't need that breach coach now. In my experience, a hundred percent of the time it's not a tick the box exercise.
When you have a cyber incident. The scenario is never gonna fit neatly within, page one through to page 12 of your plan. It's gonna go all over the place. You're gonna have curve balls that you're gonna have to deal with. You might have team members off on leave. Something you haven't thought of.
Heaven forbid you're in the media and you're getting attacked. Look, it's, it's something that I really think, in 2025, every organization should have that being an incident response plan. But I hope it doesn't become then like a safety blanket that, oh we're good now. We don't need, those experts on call.
Yeah, no I think if I jump in there, Liam. Yeah, go for it. Just before we move on. And again, I hope this podcast is filled with analogies, simple analogies that people can really react to. And that's the, Jason is a bit like a paramedic, right? It may be the worst day of your life, right?
So you've got a, you've got a plan, you had a plan, sorry, before anything happened. Let's go to a car accident. It's really sad. It's the worst day of your life. You are absolutely in distress. Not to downplay the car accident, but for Jason, it's a Tuesday. It's just another day. And I can't stress to you having Jason sitting in the room, everyone's running around.
Everyone's, everything's on fire. What the hell is going on? And he's going, let's just take it back. Five guys. It's just important to take five. This is my 120. Data breach. I'm not saying it's not bad, but let's just calm down. I think that is priceless. So an incident response plan on paper.
Fantastic. In the real world. Use Jason. Yeah. Which is exactly, I know that was a bit of a loaded question. Sorry for throwing it out there. But that's exactly what I, I've been asked in, in, in conversations with clients and business owners, Hey what is this? Incident response plan, what do we need to do?
And when we've been looking at it, it's definitely been a case of I've looked at it and gone, this is great having a plan. You've got steps in place, but really. It could go anywhere. And yes, having a plan is better than nothing. But I think that's a really great point that you shared there, Jason, about, reaching out to your insurer or potentially the instant response team behind that and going through something like that and also doing a simulation.
That's a great tip. I'm actually gonna take that away and start doing that with clients where we reach out and. Simulate, okay, if we make this plan and we do this, how does that affect, can we look at running some sort of light simulation just to go through it so we're all comfortable?
Because I think personally from my experience and not my experience in just general in my industry, quite often, and I equate this analogy and I'll bring it back in a moment, it's like when you ha when you evaluate a new product and it's all the shiny things and the vendor takes you through and shows you everything, and then when you get in there, it can be completely different.
And I don't like that when that happens in terms of, doing sales demos or whatever in a business context. And I would think, I would hate to have a cyber insurance policy and you think it's gonna go one way and then you call and it's no, we're actually going in the complete opposite direction.
Whereas sitting down and having that chat and being a little bit closer to the incident response team just helps. Again, ease the nerves if something goes wrong because you've already had a conversation. There's a little bit of relationship there already. So I really like that. Thank you for that. I think the other thing that I'm gonna get cheeky and jump in again is, and I hope that's the vibe we've got here, guys.
Hundred percent. Hundred percent. I give you a pushback on this one, but how many incident response plans, if you don't, haven't got an insurance policy, how many that actually say roughly how much this stuff's gonna cost? Because it goes down the list and it's oh, go to go through your standard operating procedures.
We are gonna do this. Fantastic. But if we don't have the sort of accountant or CFO in the room going, sorry, just a quick question. How much is this gonna cost? 'cause I think you need to be, I actually think you should healthily know roughly. It could go either way, but roughly I'd love to know. I would personally love to know.
Okay, so this incident response plan, are we, what are we looking at here? And you obviously no one can actually tell you, but if they could give you a rough guide because, we are hearing stats out there that, even minor data breaches are going between 50 and a hundred grand.
Then you can look at your cash reserves and go. Actually, we don't have 50 to a hundred grand that could go tomorrow. And that's what it's about. Do we have this? Isn't that, should that not be, I'm gonna throw it out there. Should that not be part of an initial response plan? Is the financial element, because it's all gonna, to say we have a plan, but can we afford the plan?
Yeah. Look no, it's a great point. And look, it happens all the time. For us where people do reach out to us and once they, get a scope of works from us and maybe the forensic investigator it can be a bit of a reality check of how expensive, the process can be. And also on the flip side, we get a lot of statistics around how much the average claim costs in the US.
In terms of legal costs, forensic costs, and the numbers can be extraordinarily high and this and not reflective of Australia. And people can be alarmed by that as well. And so having that local understanding is important. And that's why, speaking, with a local broker expert like Andrew, running a simulation with you and I, Liam, where you get a bit of a scope.
Idea. You don't know until for sure. And things can change along the way, but at least it gives you something to go by. And if you caught an insurance policy that has, an excess that might be in the, multiple thousands or, $10,000, you need to know is the cost gonna be more than that?
Because if that's the case, you've gotta have that. Excess available to be able to get going on your, on your insurance coverage. Just like when we make a claim on our car insurance or on our home insurance, the insurer, first thing they ask for, don't they, is yeah, you've got this excess on there.
These are really, these are the 1 0 1 things that we run through when we're talking with people when we're practicing. Absolutely. Hot tip there. Hot tip there. Try and get a deductible. On your policy because an excess is something you pay before you start a deductible is something they'll deduct from the final payout, and that's putting me putting my broker hat on.
But if there, there are both, and Jason's a hundred percent you need to know because an excess is, we don't start two or we, we need this money up front. Deductible is instead of getting 250,000, you get two 40 if it was a 10,000 deductible. But these are the nuances. These are the nuances that just I don't, I don't know.
Jason's role inside out, but I don't need to, 'cause I fill the bucket for you so you can go speak to him and he can give you his expert opinion. I would love to know, I've got a scenario here. Actually, let me just check here. Yeah, perfect. All right. I've got a scenario. Which again, this might be completely left of field and tell me if this is not related at all.
But all let's say I'm a business owner and we have, I think if I put my business owner hat on, not tech hat we've got a problem. I've reached out to my IT provider or my service provider and said, I think we've got a problem here. Can you have a look? And they've acknowledged and said, yeah, we've got a problem.
But they say no, we're all good. We don't need to do anything. We don't need to engage insurance. We don't need to start that whole instant response process. If what? First of all, is that good? Is that bad? And then second to that, what can I do in that situation as a business leader or business owner that's oh, I'm not sure this is, that gut feeling where you're like, I don't know.
I don't like where we're sitting. What do I do in that situation? Yeah, look I think in that scenario, let's assume you've got cyber insurance. If you've gotta, as a business owner, have that confidence and take ownership of your business in the sense that if your gut's telling you I need to reach out and ask for some, advice from someone who's independent, maybe of the current services that I'm receiving. Then I should do that. And what I mean by independent is that's often the case, and you know this better than me, Liam, is that, there's a. There's a contractual service relationship between the IT service provider and the company, or the security provider and the company.
And when there's a breach, often there's an assumption made that possibly something has gone wrong or, someone's done something wrong and that it's not just a criminal doing what they, doing, what they do. And there can be a human nature of. Defending your work and wanting to make the position that, no, it's fine.
We can just quickly update your past, change your passwords, it's looking fine, let's move forward and fingers crossed and that everything goes away. Getting that opinion from someone who has no. Existing financial connection to the business. And that would include myself and then by extension, a forensic investigator who can have a look at the incident and give an independent view very quickly on.
Look. Yeah, it's looking okay. And it can be done pretty quickly, short, triage call, maybe an email from me saying, no problem, no obligations, all the best. But if there's something not quite right, if there's something suspicious that requires further investigation, then you know, we can recommend to your insurer that coverage be provided for our costs and we investigate and.
And that's where I have, of which I've had thousands of phone calls with MSPs and IT service around, look, we appreciate. We're not saying you've done anything wrong here. We're here to help. Let's work on this together. Let's find out what's going on and get this business going. Again. It's not about, it's not about finding fault.
I think that's a common misconception around data breach incident response is we're not investigating to find whether the IT guy stuffed up. Our main job is to investigate and give legal advice on whether there obligations arising from the incident that need to be dealt with, regardless of however it happened.
Yes, we try and find out the root cause like how did this thing happen? Because that gives us information around. When it started and the different data that might have been compromised and whether it's still a live incident that needs to be shut off, that's all really important stuff.
But it's not about me dropping a letter of demand on the it, it guy and saying, pay up. That's not it. That's not the main game. And often there's a phone call or, teams meeting or two that needs to occur to calm the farm. And make sure that we're all working on this together.
And gather the information we need so that our common client being the organization that's been hacked, the victim is looked after, and that, we're not cutting any corners just because feelings are gonna get possibly hurt a little bit because we're digging into some services that have been provided.
Yeah. Gotcha. Gotcha. Two. Yeah. My answer's more well was two parts. The first part is, as you said, Liam, they're very, not wary, but it's a bit like a public liability policy where there's something called a notification. So don't, we've heard horror stories of cyber insurers get the phone call and we've had an incident.
They say, when did the incident happen? They say, oh, a week ago, but my IT cyber provider's been tinkering away in the background. That can really blow up. A claims cop, claim claims and a claims policy. Not just that there is actually, and again, all policies are different, so I can't give you a blanket answer, but all policies will have a notification period of you just need to let the insurer know within the next, and they're only, as Jason said, they're not doing that to ping you.
They're not doing that to punish you. It's guys, we are the ones who are gonna actually pay for all this. And they might come in and as Jason said, have a look and go, it's fine. It's all good. Keep going. Or they might say, look, we need to. We need to engage, we need to move in this direction. So it's not something to be feared as Jason said it's not there to have your homework marked.
And just the second part, sorry of my answer was I've had chats with MSPs that have told me, oh, soon as they pay out the client, they're gonna come and cover off me. Not the case. It's, Jason probably tests this. It's, you have to gross negligence to go recover off someone and it's just not.
Hey, if you've been grossly negligent, that can't do anything about that. But it's not a blanket, oh, now we've paid out the client, we're gonna go straight to the MSP and get our money back. It's just not the case. Yeah. It's more about how do we write this, write this incident, back where it needs to go and get the company back where they need to.
Yeah it's don't. It, I guess it frustrates me a lot when these things come up about the friction points that aren't really there. Yeah. And I know they're not there. Jason knows they're not there, but we get almost told them so convincingly by these MSPs and cyber guys, we're just going ask us questions.
You're making statements. 'Cause. The fact is, I don't, I've got tough skin, but we're actually hurting the client here. The business owner's the one that's losing here because there's so much, we talked about it in the earlier episodes, mud slinging or there's too much friction.
The client's the one that's losing. Yeah. Because, if they don't, if they don't have the assistance and their business goes r they're the one that's gonna suffer in the end. Yeah, that's my answers. A make sure you reach out to your cyber policy. They can have a look and push you in your way if they need to.
And Bs, don't have that fear if they're gonna come recover off you. Yeah. It's just not the case. Yeah, a hundred percent. And I think the underlying theme that I'm really starting to pick up with all of this is the fact that. And I think it's also shifting in perspective too. You look I'll be completely honest, I have insurance in my business.
I never speak to my insurance pro bro broker or whoever, which is probably a bad thing. I should do that. But more to the point, I think, what I'm really hearing is that, bring the. Cyber team or cyber insurance or instant response, bring them close to your business, bring the IT service provider closer.
There's a lot of teamwork and collaboration that can happen and a lot of preparation based on what we've just discussed today. And I think in if something was to go wrong, preparation is the key with all things, right? If you're prepared, you've got conversations, you've had conversations. Everyone knows what they're doing, where they're at.
That can lead to a much more positive result than if we're all scattered. And I think for the most part in these situations, at least from my experience, it, it can be very scattered in terms of, the business owners talking to the cyber insurance company, the IT guys dunno, the contact information for the cyber insurance.
So there's that whole kind of, it's all a bit fragmented, so yeah. Yeah, look, my, my last comment would be, Liam, is the far majority of the time I get to work with fantastic IT managed service people that actually take it personally and care deeply about their clients. And I had a call today with a fantastic managed services provider who before the call had prepared, like a detailed.
Understanding of what they've seen so far. So that right from the first moment my team could see, what they knew already and that we can jump onto the forensic investigation immediately and they should be applauded. For that for that way of working with us and understanding that we're, we are a team and, they're wanting their client to come out of this as best as they can.
And it's only through, more collaboration and more conversations like this that I think you will get rid of that, that fearmongering that can occur. A hundred percent. Absolutely. No, that's great. This has been an, a great episode. I think there's been some absolute nuggets of gold that have been, brought up and discussed.
This is great. I think what we'll do is we'll close the episode off there. Are there any other final takeaways you guys wanna give out? If not all good, we can. We can end it there. No, I'm okay. Perfect. Alright, great. Thank you so much both of you guys for your time. What a great conversation. Jo, join us next week for our next episode where we delve into the world of legal counsel especially around cybersecurity, which will be another really fantastic conversation.
Thank you again, Jason, and thank you again, Andrew, for joining me. We will see everyone next week. Thank you so much.
