Data breaches are one of the most significant cyber threats organizations face, but when they occur, many businesses do not respond in a manner that reassures their clients or the regulators. What can companies do to ensure their response is robust in the crucial aftermath of an incident?
By Rishi Baviskar, Global Head of Cyber Risk Consulting at Allianz Global Corporate & Specialty (AGCS) and Michael Daum, Global Head of Cyber Claims at AGCS
Following a cyber breach, there is a critical moment – perhaps only a few minutes or maybe an hour or two at most – when the decisions made will significantly influence the outcome. For this to be minimally damaging, there needs to be a thorough understanding of what is likely to happen and what is at stake.
A company must be meticulously prepared for a serious breach, with a cyber incident response organization and plan in place. This includes exercising critical scenarios in advance and having a trained team who clearly understand their roles and responsibilities.
Plans are important, but exercises are critical because even the best plans cannot replace a well-prepared team. Plans must be practiced to ascertain their effectiveness in a real-life incident.
The growing number of cyber incidents remains the most significant concern of companies for a second year in succession, according to the annual Allianz Risk Barometer. In the 2023 report, 34% of the responses from more than 2,700 experts around the world ranked cyber incidents as the greatest risk their companies face. In particular, we are seeing increasing cases of data breaches, either with ransomware attacks or stand-alone.
According to Allianz Risk Barometer respondents, a data breach is the exposure that concerns companies the most (53%). Data privacy and protection is a critical risk that is intensifying – IBM’s The Cost of a Data Breach Report states the average cost from such incidents reached an all-time high in 2022 of $4.35mn and is expected to surpass $5mn in 2023.
Regulatory pressure ramps up
Regulators are getting tougher on companies with insufficient security measures to protect data. In 2019, British Airways received a £183mn ($222mn) fine from the UK’s Information Commissioner’s office (ICO) after data on 500,000 passengers were stolen. The fine was reduced in 2020 to £20mn on appeal.
Last year, two cases in the US sent a warning to directors and senior executives who fail to deal adequately with cyber breaches. In October, a former chief security officer of a mobility firm was found guilty of trying to cover up a cyber security incident. This is believed to be the first time a US company executive has been criminally prosecuted over a cyber breach. The executive faced a prison sentence of up to eight years for obstruction of justice and deliberate concealment of a felony.
Also in October, the Federal Trade Commission (FTC) announced action against the CEO of an online drink delivery business over security failures that led to a cyber breach exposing personal information on 2.5mn customers.
With regulators and prosecutors becoming more stringent, large companies are boosting investments in cyber security. Enhanced security is forcing hackers to seek victims in smaller and mid-sized companies, where weaker controls can make them easy targets.
When the unthinkable happens
Once a personal data breach occurs, the clock starts ticking. Under the European General Data Protection Regulation (GDPR), companies must report a breach within 72 hours of becoming aware of it. The ICO imposes the same timeframe in the UK.
In the US, it has been less clearcut with a patchwork of jurisdictions meaning, in some cases, data breaches could be reported within 60 days. However, last year President Biden signed new federal data-breach reporting legislation. This could tighten the notice to report such incidents to the Department of Homeland Security to within 72 hours after one occurs.
The US FTC advises on the critical steps companies should take after discovering a data breach, as does the UK ICO. The EU provides guidelines for who needs to be notified and when, including other affected companies and individuals.
Mobilize the breach response team
However, within these steps, a flurry of complex actions must be taken. The most critical is to mobilize the cyber incident response plan. A cyber crisis is one of the toughest incidents to deal with. It is not like a natural disaster or when a factory burns down. If you are hit by an encryption and ransomware attack, you can suffer a business interruption that is global. Also, you are dealing with criminals and their specific behavior is hard to predict.
The application of double extortion has become widespread, which expands the dimensions of complexity further. Double extortion combines the encryption of data, systems, or back-ups with the threat to release sensitive data.
One of the most important things a company should do is secure expert assistance – both after and before a cyber attack.
It is increasingly difficult for companies to have the expertise necessary to handle a cyber crisis in-house. The shifting nature of the crime creates a dynamic threat environment that can be difficult to stay on top of. While many large and mid-sized companies are often well prepared for traditional risk scenarios, some have never properly thought through a cyber crisis management plan.
A significant breach would mean a company will want to call on their cyber security cover, so insurance contacts should be looped in as soon as possible. External experts can then provide specialist advice depending on the nature of the incident. AGCS has a global network of partners that offer assistance to insureds when a cyber incident occurs. These include incident response services such as IT forensic services, forensic accounting, public relations, crisis communications, response advice on cyber extortion, and breach coach or legal services. A breach coach is typically an attorney who specializes in data privacy and cyber security. Often companies are overwhelmed by the situation, and a breach coach can help steer them through the crisis in a structured manner to limit damage.
Clear communication is key
Each cyber attack is unique. One essential component a response team must oversee is a comprehensive communications plan that reaches all affected audiences – employees, customers, investors, business partners, and other stakeholders. Such a plan needs to anticipate questions people will ask.
Mishandling communications around a breach can contribute significantly to the reputational fallout around an incident, including a plummeting share price.
Norsk Hydro, one of the world’s largest aluminum producers, suffered a cyber attack in March 2019 after ransomware encrypted files stored on all systems. Hackers demanded bitcoins to unlock the data. Yet, despite the severity of the breach, the share price of Norsk Hydro rose in the following weeks as the company battled to rectify the damage.
Norsk Hydro refused to pay. What was appreciated by the market was the transparency and openness of the company because it contrasted starkly with the secretive responses of many companies after being hacked. Trust was maintained, and the share price increased in response to the incident.
Crisis communications checklist
As well as your legal reporting requirements, timely and transparent communication with stakeholders after a breach is essential if you want to limit damage to your business activities and reputation.
A crisis communications plan should be part of your cyber incident response plan, comprising a list of contacts, urgent tasks and appointed people to oversee them – including a senior communications spokesperson – with pre-prepared statements drafted (and tested) for several scenarios.
Here’s a checklist of what to consider when compiling a cyber crisis communications plan:
Who do you need to inform? As well as relevant authorities, this could be your customers, shareholders, employees, external contacts, the public, media, your lawyers, professional organization, insurer. Establish various communications streams to help steer target groups towards regular updates.
What is the purpose of the communication? It could be to provide reassurance, information on remedial measures, an apology, or a statement to pre-empt inaccurate coverage elsewhere.
How can you allay customers’ fears? Show victims of the breach empathy and a readiness to offer solutions. When you are able to, communicate mitigation steps you are taking and keep customers informed. Give them guidelines on how they would have been accessed by the breach and what action they can take to protect themselves, such as password changes or checking emails for malware.
How can you reassure employees? Communicate quickly on multiple channels to put their minds at rest and arm them with the actionable information they need. Keep them updated. Similarly, provide any details that might be needed by your suppliers, consultants, investors, and staff representatives or unions.
How should you communicate with business partners? Time is of the essence to allow them to take action to protect themselves. This could involve regular calls and updates so partners can ask questions or delve into details. Consider dedicating named staff to critical business partners to ensure they are kept fully informed.
What are the best platforms or channels? Consider the regional, national or international press, trade journals/websites, email, social media, printed letters, webcasts.
Who should the communication come from? It could be the CEO, the chief information officer, chairman, head of IT, or customer services director.
What kind of language should you use? Keep the tone of your notifications friendly, non-alarmist and factual; decide how many languages you need to communicate in.
What will you do if your digital channels are unavailable? Consider keeping pre-prepared materials in cloud-based back-ups or even hard copies of statements.
About the Author
Michael Daum is Global Head of Cyber Claims at Allianz Global Corporate & Specialty (AGCS). Based in Munich, he was previously Deputy Practice Leader and Senior Underwriter for Cyber at AGCS.
Rishi Baviskar is Global Cyber Experts Leader, Risk Consulting at Allianz Global Corporate & Specialty. Baviskar has experience working within the IT field for large oil, gas, automotive and pharmaceutical companies. In his previous roles, he has worked across all levels of process development, ranging from onsite engineer to the design and implementation of cyber security policies.
Rishi and Michael can be reached online at Rishi.Baviskar@agcs.allianz.com and Michael.Daumand@agcs.allianz.com and at our company website www.agcs.allianz.com.