Cyber: dealing with a data breach

• Cyber incidents is the number one business risk for companies around the world, according to the Allianz Risk Barometer 2023, with data breaches the cyber exposure of most concern.
• Regulators are exerting pressure on businesses to tighten data security, with large fines or even prison sentences facing those who fall short.
• Businesses need to draw up, test and practice cyber incident response plans, including consulting specialist third parties.
• Crisis communications should be part of your preparedness, ensuring timely information can be communicated to stakeholders and authorities.

Following a cyber breach, there is a critical moment – perhaps only a few minutes or maybe an hour or two at most – when the decisions made will significantly influence the outcome. For this to be minimally damaging, there needs to be a thorough understanding of what is likely to happen and what is at stake.

So advises Robin Kroha, Chief Information Security Officer & Head of Global Protection and Resilience at Allianz Services. A company must be meticulously prepared for a serious breach, with a cyber incident response organization and plan in place. This includes exercising critical scenarios in advance and having a trained team who clearly understand their roles and responsibilities.

“Plans are important,” Kroha acknowledges. “But exercises are critical because even the best plans cannot replace a well-prepared team. Plans must be practiced to ascertain their effectiveness in a real-life incident.”

The growing number of cyber incidents remains the most significant concern of companies for a second year in succession, according to the annual Allianz Risk Barometer. “In the 2023 report, 34% of the responses from more than 2,700 experts around the world ranked cyber incidents as the greatest risk their companies face [1],” says Michael Daum, Global Head of Cyber Claims at Allianz Global Corporate & Specialty (AGCS). “In particular, we are seeing increasing cases of data breaches, either with ransomware attacks or stand-alone.”

According to Allianz Risk Barometer respondents, a data breach is the exposure that concerns companies the most (53%). Data privacy and protection is a critical risk that is intensifying – IBM’s The Cost of a Data Breach Report states the average cost from such incidents reached an all-time high in 2022 of $4.35mn and is expected to surpass $5mn in 2023. [2]

Regulators are getting tougher on companies with insufficient security measures to protect data. In 2019, British Airways received a £183mn ($222mn) fine from the UK’s Information Commissioner’s Office (ICO) after data on 500,000 passengers were stolen. The fine was reduced in 2020 to £20mn [3] on appeal.

Last year, two cases in the US sent a warning to directors and senior executives who fail to deal adequately with cyber breaches. In October, a former chief security officer of a mobility firm was found guilty of trying to cover up a cyber security incident [4]. This is believed to be the first time a US company executive has been criminally prosecuted over a cyber breach. The executive faced a prison sentence of up to eight years for obstruction of justice and deliberate concealment of a felony.

Also in October, the Federal Trade Commission (FTC) announced action against the CEO of an online drinks delivery business over security failures that led to a cyber breach exposing personal information on 2.5mn customers. [5]

With regulators and prosecutors becoming more stringent, large companies are boosting investments in cyber security. Enhanced security is forcing hackers to seek victims in smaller and mid-sized companies, where weaker controls can make them easy targets.

Once a personal data breach occurs, the clock starts ticking. Under the European General Data Protection Regulation (GDPR), companies must report a breach within 72 hours of becoming aware of it. The ICO imposes the same timeframe in the UK.

In the US, it has been less clearcut with a patchwork of jurisdictions meaning, in some cases, data breaches could be reported within 60 days. However, last year President Biden signed new federal data-breach reporting legislation [6]. This could tighten the notice to report such incidents to the Department of Homeland Security to within 72 hours after one occurs.

The US FTC advises on the critical steps companies should take after discovering a data breach, as does the UK ICO. The EU provides guidelines for who needs to be notified and when, including other affected companies and individuals.

However, within these steps, a flurry of complex actions must be taken. The most critical is to mobilize the cyber incident response plan. “A cyber crisis is one of the toughest incidents to deal with,” says Daum. “It is not like a natural disaster or when a factory burns down. If you are hit by an encryption and ransomware attack, you can suffer a business interruption that is global. Also, you are dealing with criminals and their specific behavior is hard to predict.”

The application of double extortion has become widespread, which expands the dimensions of complexity further, adds Daum. Double extortion combines the encryption of data, systems, or back-ups with the threat to release sensitive data.

Kroha says one of the most important things a company should do is secure expert assistance – both after and before a cyber attack.

“It is increasingly difficult for companies to have the expertise necessary to handle a cyber crisis in-house,” Kroha explains. “The shifting nature of the crime creates a dynamic threat environment that can be difficult to stay on top of. While many large and mid-sized companies are often well prepared for traditional risk scenarios, some have never properly thought through a cyber crisis management plan.”

A significant breach would mean a company will want to call on their cyber security cover, so insurance contacts should be looped in as soon as possible. External experts can then provide specialist advice depending on the nature of the incident. AGCS has a global network of partners that offer assistance to insureds when a cyber incident occurs. These include incident response services such as IT forensic services, forensic accounting, public relations, crisis communications, response advice on cyber extortion, and breach coach or legal services. A breach coach is typically an attorney who specializes in data privacy and cyber security. Often companies are overwhelmed by the situation, and a breach coach can help steer them through the crisis in a structured manner to limit damage.

Rishi Baviskar, Global Head of Cyber Risk Consulting at AGCS, says: “Each cyber attack is unique.” According to Baviskar, one essential component a response team must oversee is a comprehensive communications plan that reaches all affected audiences – employees, customers, investors, business partners, and other stakeholders. Such a plan needs to anticipate questions people will ask.

“Mishandling communications around a breach can contribute significantly to the reputational fallout around an incident, including a plummeting share price,” says Baviskar.

Norsk Hydro, one of the world’s largest aluminum producers, suffered a cyber attack in March 2019 after ransomware encrypted files stored on all systems. Hackers demanded bitcoins to unlock the data. Yet, despite the severity of the breach, the share price of Norsk Hydro rose in the following weeks as the company battled to rectify the damage.

“Norsk Hydro refused to pay,” Baviskar explains. “What was appreciated by the market was the transparency and openness of the company because it contrasted starkly with the secretive responses of many companies after being hacked. Trust was maintained, and the share price increased in response to the incident.”