A Thinking Business Publication
The average cost of a data breach continues to escalate over time, with the latest figures from IBM putting the typical cost of such events at $4.35 million in 2022, which is a 13 per cent increase on the $3.86 million typically incurred by a breach in 2020.
These costs are escalating as a result not only of more aggressive regulatory enforcement action pushing up the scale of fines, but also of the longer term impacts seen as a result of reputational damage, business interruption, litigation claims and remedial action.
“One reason it is so important to invest in cyber security and cyber resilience is because of the costliness of a breach,” says Charlotte Clayson, partner in the dispute resolution team at Trowers & Hamlin. “It may seem like a large cost upfront but it will save you money in the long run. By putting in place the relevant policies, protocols and firewalls to prevent attacks, you create a much better cyber preparedness picture, and that is becoming a real cornerstone of focus for investors, employees and customers.”
Clayson says that with data now the currency of life, all stakeholders are paying much more attention to the cyber awareness of businesses and want to make sure that their information is properly protected and secure. Particularly younger generations are viewing cyber as part of the social element of ESG, considering proper cybersecurity to be a key pillar of businesses doing the right thing. This makes proper investment in cybersecurity even more important in the context of attracting and retaining customers and the next generation of employees.
“Employees and customers have a lot of choice,” says Clayson, “and the long-term damage to the reputation of a business caused by a cyber attack can be felt in its ability to attract new talent, new investment or new recruits. These things can really add up, and with trust now such a central element of people’s interactions with employers and brands, people want to know their personal data is being looked after.”
These more enlightened stakeholders are also quick to take action when things go wrong. “We are seeing an increasing number of litigation claims and threatened claims coming into businesses immediately after a cyber breach,” says Clayson. “People are looking for some kind of compensation in the event of even a trivial breach, and while those claims can often be easily pushed back on, they do take additional resource out of an organisation at a critical time for cyber response.”
The scale of the fines being meted out by the Information Commissioner’s Office in the UK continues to grow. The ICO now has the power to issue companies with a fine equivalent to four per cent of their annual turnover, with some of the biggest fines in recent years including a £20 million bill to British Airways and an £18.4 million fine to Marriott Hotels in 2020, plus the £7.5 million fine handed out to Clearview AI earlier this year.
The regulator has spoken a lot about the kinds of things they now expect businesses to routinely have in place to tackle cyber risk, which include secure technology platforms, multi-factor authentication – particularly where people are working remotely – and strong firewall capabilities. In addition, businesses should put a lot of resource into ensuring they have the correct policies and procedures in place and properly train staff, while fundamentally ensuring they maintain a comprehensive understanding of where they are most at risk and why.
Matt Whelan, an associate in the firm’s corporate commercial department, says: “One of the key risk areas for cybersecurity is in the supply chain – a vulnerability that is often overlooked because you are only as strong as your weakest link. If you are really secure as a company but your payroll provider is not, there is no point in being cybersecure because if they have access to your system they can give a hacker a route in. Often people just need to take a wider view of cyber resilience.”
The regulator is taking a risk-based approach to enforcement, taking into account the size of a business and the resources it has and not expecting everyone to invest in the same level of security as a Google or an Amazon. “Businesses need to appreciate that they are not all being asked to do the same thing,” says Clayson. “But everybody does need to invest in identifying where their risks are and then include cybersecurity and data breaches in any risk register so that they are reported on regularly. These are key risks for any business.”
A growing area of exposure for companies comes from ransomware, which is now the biggest online threat to the UK whereby cyber criminals encrypt an organisation’s files and then demand money in exchange for returning access to them. Ransomware now accounts for one in 10 data breaches worldwide, with the advice from authorities being not to pay ransom demands.
John Edwards, the UK Information Commissioner, recently said: “We’ve seen cyber-crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”
Clayson says it is important to remember that ransomware attacks happen not because of the existence of particularly valuable data, but because of poor cybersecurity: “You will become the victim of an attack not because you have interesting information but because they can exploit a weakness in your systems and use that to extort money from you,” she says.
The advice to businesses is therefore to be prepared for when, and not if, they are a victim of an attack, especially at the moment as the outbreak of war in Ukraine has given rise to a spike in cybercrime.
Whelan says: “First, review what data you have and what activities you are undertaking that could give rise to vulnerabilities. That will establish what level of cybersecurity you need, and then you can make sure you have the technology in place, and the training, to make sure everyone is on the same page in terms of understanding where the risks lie. In procurement processes, that means you need to think about what questions you should be asking and make sure they are properly addressed.”
From a practical point of view, Clayson argues there are some low cost easy steps that can be taken to both reduce the chances of an event occurring and show a regulator you are taking the issue seriously.
“A business that does not perhaps have the best security but is well-prepared to respond to a breach will be in a much better position,” she says, advising firms to have clear action plans ready to go, with key advisers on speed dial, so that the business can quickly kick into gear if it becomes necessary to manage the fallout from a cyber-attack.
“That’s an easy win because the faster you can deal with an attack and start to mitigate risk, the better,” says Clayson. “The first 24 hours after a breach are critical and if you can take good solid steps so that you are not panicking and broader business disruption is minimised, then you can set yourself up well.”
What is clear is that investing mindfully in cybersecurity has the ability to shore up the bottom line and minimise the impact of economic fallout, making it money well spent.
