What is the actual cost of a data breach?
So, a data breach has occurred, and you don’t have cyber insurance. What will you do and how much will it all cost? This is often a question that people struggle to answer as it isn’t something that many people will have considered before about there business. There are a range of factors that will impact on the cost of a breach/ attack.
The first cost is- response
How will you respond to a data breach? Often businesses will have to use an IT specialist to help them respond to the problem quickly and limit the damage that has been done already. IT specialists can become costly often charging by the hour and with unknown time spent on containing a problem you can see how costs climb. Even if you have an in-house IT team there is still a time cost that could have been spent doing other things.
The next cost is less direct – reputation
The reputational damage that a breach can do may not be a direct and may not be obvious, but this is the cost that will have a long-term impact on the business. It may have an immediate impact with a loss of return customers or even the loss of a contract depending on your type of business. this will have an immediate impact on your cashflow. But long term it may have caused such reputational damage that people are reluctant to use your business which may cause cash flow problems. However, this will be dependent on the level of the breach and how quickly the issue was solved. It may be that an attack is resolved quickly and there was no loss of data or business interruption in which case the reputational affects will be limited and possibly unnoticeable.
The third cost is- restoration
The restoration costs are the costs associated with getting the business back into the position it was before the breach or attack. These can include the costs of the business interruption and the notification costs of letting clients know about the breach or attack. Along with this are the cost of getting the business operational again. If a ransomware attack locks you out of your documents and files it is the costs associated to getting the documents back, whether it be you pay the ransomware or have to pay an expert to come into the business and help unlock the files.
The final cost of a breach or attack is- regulatory
Are you going to be subject to a regulatory penalty as a result of the attack/ breach? Penalties from the regulators can reach up to €20 million or 4% of turnover whichever is greater. Regulators have the power to cripple businesses with penalties should they not live up to the new standards under GDPR. Businesses now have an onus on them to ensure the safety of the data they hold and try to protect it. Data that is no longer useful must be destroyed and you must display a legitimate interest in the data that you hold or have permission to hold that data from an individual. It is these small obstacles that will trip a business up and mean that regulatory penalties maybe incurred.
Cyber insurance– Protection after a data breach
All these costs can be covered by a policy that means should a breach/ attack occur you won’t have to worry about the costs of each of the factors. Cyber insurance can cover each cost and provide you with immediate access to some of the best cyber specialists in the country that can limit the damage done to the business. You can also get access to a PR team that will help you should you feel it necessary this will help you to limit the reputational damage.
There are a few types of cyber claims, we feel it important that you are aware of the types of claims that can arise in a cyber policy as it is important you understand exactly what you are covered for.
Theft of data-
The first cyber claims that you will be covered for is the theft of data. Data is a valuable asset and one in which that can be the difference between a business’s ability to operate successfully or not. The fact that data has value will make it worth stealing as it can also be valuable to others. This makes it an enticing target for cyber criminals. This type of claim will cover the cost of rectification should data be stolen. These costs vary and can run into the thousands, so I am sure that this may be something you wish to cover as paying these costs yourself can cause major problems with cashflow.
Theft of funds-
You will be able to claim for any money that has been stolen from a company bank account. The increase in online banking and the advances that have been made for companies to be able to move money between accounts means that there is an increased risk of passwords being stolen and accounts being hacked. You should also make it good practice that you change passwords regularly and avoid storing them in any unsecure location.
Damage to data asset-
Should your business experience damage to a data asset as a result of a cyber breach or incident they will be able to claim the rectification costs back. Often when a data asset is damaged it could be result of a virus of malicious attack. In this instance it would be advisable that an IT specialist is used to rectify the situation and depending on the type of issue can become very expensive. However, with cyber insurance you will be able to recover this cost. It is also worth noting that insurers will be able to provide you access to the best IT experts in order to rectify your issue quickly. Data asset damage can also occur as a piece of machinery or device becomes damaged, in many cases this will be covered under your cyber policy.
Do you know how to respond to a Cyber incident?
Almost all SME’s don’t have the first idea about what to do in the event of a cyber incident. Best practice is to build a cyber response plan, but we understand that this isn’t necessarily something that SME’s have time to develop. So, we thought that it would be beneficial to give you a quick step by step on what to do with a cyber incident.
Step one- Don’t Panic.
Notify your insurers let them know there be a potential claim, they will also then be able to put you in touch with their cyber specialists that can come in and speed up the process and reduce business interruption. If you don’t have an insurer you can still find cyber specialists that may be able to come in and help however, this will come at your own expense.
Step two- Contain
In this stage it is important that you are able to localise the incident and stop it from spreading across your network. This can be done by simply removing important hard drives from the network simply disconnect them and ensure that all documents crucial to business operation have been backed up elsewhere in a safe place free from connection. For example, a Cloud back up, this can be arranged at the end of every business day by a cloud provider.
Step three- Assess the Damage
Once you have protected your data you will need to begin the process of identifying what was damaged, does it need replacing, or can it be fixed, and was any data taken? Another crucial part in this step is can you continue to operate or has the incident caused business interruption? This can be something that you are covered for under a cyber policy. In which case they will speak to there incident response to get an idea of cost.
Step four- Notify
A critical step is to ensure you notify the regulator of the breach and ensure that this is done within the allotted period otherwise you will be at risk of a penalty. It is also imperative that you notify all clients and customers of the breach outlining whether or not data was taken. If so, what data was taken and have the business lost any personal identifiable information?
Step five- Rectify
This is the step in which you have to begin fixing the damage that was not only caused by the breach but also the reputational damage that it has caused with clients. Reputation is a fundamental part of any growing business and damage to that can be harmful to your growth. Limiting reputational damage and getting clients back on side is crucial. To do this you may choose to appoint a PR team. This can be an expensive exercise and not all SMEs will have the capital to do this. This is something that can also be covered by Cyber insurance.
Read more on what are your options with cyber insurance?
GDPR (general data protection regulations) is coming on the 25th May 2018. This will empower individuals to take back control of their data. GDPR will give people rights over there data that they previously never had. This will also have an impact on the way that organisations handle data and the period that they hold data.
Under the new GDPR regulations data subjects have the right to ask a business what personally identifiable data they hold, which the business must produce within 30 days or be in breach. Data subjects will also now have the right to be erased (the right to be forgotten). This is whereby any EU citizen has the ability to approach an organisation and ask them to delete any data that they hold on that particular data subject and the organisation then has 30 days to do what has been asked of them and provide evidence that this has been done. Otherwise the data subject has the ability to go to the ICO and report that organisation which may then result in a regulatory penalty.
Data subjects will now also have the right to the portability of their data. This means that an individual EU citizen can approach an organisation and ask them to collate all the data they hold and then send it to them or another supplier. They must then destruct all the data that they held. 30 days is the period to get this achieved. The organisation cannot charge you for this either.
The clock is ticking on GDPR.
Other rights as a data subject under the new GDPR legislation include;
- You have a right to be informed- why a business holds your data and what data they have,
- The right to rectification- the right to make changes to your data,
- You have a right to restrict processing- the right to stop an organisation from using your data for a specific purpose,
- The right to object- this will mean that the organisation must take your data out of processing until further notice,
- And the right not to be subject to automated decision making including profiling.
Understanding your rights as an individual will enable you to take control of your data; And limit what is known about you by companies. It should reduce the amount of nuisance emails you receive as you can order businesses to destroy all data they have relating back to you. It will also stop businesses pooling and sharing your data in order to target you with more sales promotions. However, businesses can hold onto your data if they have a legitimate reason to; And/or it is part of a legal obligation that they must hold records for a set period.
For more on GDPR read the key principles of GDPR blog.