The Optus outage shows us the perils of having vital networks in private hands

As a private company, Optus has no legal obligations to report publicly on its financial statements or governance arrangements, unlike its competitor, Telstra Ltd. They don’t even have to report to government, despite holding a licence to be a carrier under federal legislation.

Optus is the second largest supplier after Telstra of national carrier infrastructure in Australia. Its services are critical to the operation of our economy and community wellbeing. An illustration of this was the failure of the emergency 000 service during the outage. People with Optus couldn’t contact emergency services for up to 14 hours.

The obligations of listed companies

If Optus was a publicly listed company, like Telstra, it would have to comply with the listing rules of the Australian Stock Exchange (ASX). This means it would have to disclose any information that could reasonably be expected to affect the price or value of the entity’s shares.

An unexplained system-wide outage of carrier services would arguably warrant this. If these rules applied to Optus, it would have had to issue regular market updates on developments during the outage. The odd, unannounced phone call by the Optus CEO to a radio program would be unsatisfactory.

A quick review of the Optus website’s “About Us” section suggests a number of apparent shortcomings. Contrary to the recommendations of the ASX corporate governance rules not a single member of the Optus executive board of directors qualifies as an independent director, that is, a director with no apparent ties to the company.

The idea of the independent director is to help a company board break out of its group think. In a crisis, for example, this would mean asking hard questions of executive management. While ASX governance rules technically only apply to public companies, they are a role model for all corporates, including large proprietary companies like Optus.

No details of the company’s risk-management arrangements are given either, including the chief risk officer. This is extraordinary for a company whose recent history (cyber hack, system outage) shows its exposure to extremely high levels of risk.

There are also no details of who monitors the executive management of Optus. It is important to see this for what it is - Optus devolves its corporate governance responsibilities to Singtel and runs a very lean operation in Australia.

This is seemingly good for Optus from a cost management viewpoint, but bad for Australia because we are leaving the governance of critical national infrastructure to a company with no direct accountability to the public and minimal accountability to the federal government.

Poorly prepared for a crisis

The absence of a comprehensive crisis management plan was obvious during last week’s outage. Despite experiencing a wide-scale cyber hack in 2022 Optus seemed ill-prepared to handle the system outage. You have to ask: why wasn’t a plan prepared well in advance of any such crisis?

Crisis management should entail a communication hierarchy and a systematic response. It is a key part of a company’s risk management system. This means knowing who needs to be notified and when to notify them. Presumably, high on that list would be the government. Instead, Bayer Rosmarin phoned radio programs revealing snippets of information in an ad-hoc way.

As part of crisis management, system fixes should be prioritised and companies obliged to tell the public the order in which these will be tackled. For example, the first fix should be health and hospital services. This did not happen. Instead, the absence of a clear plan only fuelled public anger.

Optus likes to control the narrative

Optus likes to tightly control its communication narrative. It refused to publicly release the Deloitte report on its 2022 cyber hack, until late last week when it was ordered to make it available to litigants in a class action.

Similarly, the chief executive was reluctant to explain the current system outage, effectively asserting that there was no point until they had “bottomed out the root cause” and could make it more digestible to the public.

Optus held all the power, yet when it did finally explain the failure days later, it was described as caused by a system upgrade and a failure of routers. Hardly more digestible than the system failure we already knew it to be.

In an increasingly digitised world, technology failures and system outages have become a fact of life. ASX Ltd, the licensed operator of Australia’s equity market, experienced a bad one in 2022, known as the collapse of the Clearing House Electronic Subregister System replacement project.

Knowing less than we would like

We know more about that failure than we will ever know about the Optus crisis because the ASX is a public company and was required to make continuous disclosure to the market.

In addition, ASX is also accountable for the management and governance of its critical infrastructure on an annual basis under licence arrangements overseen by the Reserve Bank and the Australian Securities and Investment Commission .

Like Optus, these failures have been the subject of hearings before parliament. However, there are no equivalent accountability requirements for Optus. Surely, the national telecommunications infrastructure managed by Optus is every bit as important as ASX’s clearing house infrastructure?

It is time to ask what accountability mechanisms should be in place for companies like Optus, whether they are enough and who watches over them. Where are the yearly assessments of that infrastructure by government agencies? The Senate inquiry, which was announced the day after the outage, will hopefully tackle these issues with the serious attention they deserve.

Helen Bird is a member of ASIC's corporate governance panel. She has received funding from the Criminology Research Council and the Australian Research Council in the past.

This article was originally published on The Conversation. Read the original article.