For 7 months, cyber criminals had access to – and successfully exfiltrated – the extensive personal records of some 20 million US citizens. The American Medical Collections Agency had spent $1 million, as recently as 2015, upgrading and modernising its IT infrastructure. In its 40 years of existence (It said) it had never had a data breach.
The successful hack was identified (by a third party, as is so common) at the end of March. AMCA’s main customers terminated contracts and outraged victims launched class-action law suits. The founder had to provide $2.5 million just to meet the regulatory obligation to inform the victims. AMCA spent $400k with 3 cyber security companies, trying to bolt the door. It had to fire 80% of its staff as it struggled to survive.
It failed. Yesterday, AMCA filed for bankruptcy protection in order to complete an ordered liquidation.
I think there are four key lessons:
- Cyber security has to be pro-active, internal and external, and has to evolve quickly to match the changing attack patterns;
- Spending $200k per annum on active cyber security to ensure you stay in business is smarter than spending $400k after your business has been destroyed;
- Cyber insurance is not an adequate defence against this sort of catastrophe;
- Directors who do not insist on seeing credible, regular evidence that their organisation is spending enough on its cyber defences are being negligent. Cyber mismanagement now ranks alongside financial mismanagement as a cardinal sin for officers of a company.
I hope that the other lesson – that burying your head in the cyber sand, believing that, because something has never happened to you it never will – doesn’t need to be spelt out. Nobody should willingly put themselves in the same position as the founder of AMCA, where you see 40 years of hard work building a business get utterly destroyed in a couple of months.
