2017 has provided a steady and impressive litany of data breach victims, even as CFOs are increasing spend on IT security technology to prevent incidents.
In a recent article published on cfo.com, Rotem Iram, founder and CEO of CyberJack, a cyber insurance company advises CFOs to take on cyber risk through the lens of damage mitigation, not just prevention.
While the drivers of data breach costs can sometimes be unexpected, they are not random. Here are six lessons CFOs can learn about breach costs and how to keep them down:
- You can’t lose what you don’t have. Simply put, you can’t lose a customer’s (or employee’s) data if you don’t have it. While this may seem obvious, it’s not trivial. In 2015, the health insurer Anthem and its affiliates served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers. Each of these individuals had to be notified and offered credit monitoring, driving up costs. The first lesson: You can potentially dramatically reduce your exposure by destroying records of past customers.
- You can’t mail letters if you don’t have an address. In the event of a breach, companies are typically required to notify affected individual via old-fashioned, handwritten “snail mail.” But they can use alternative methods of notification, such as email or public announcement, if they do not have a valid mailing address. Physical, written notifications can cost up to $2 per person, and the cost quickly adds up. It may be worth asking twice what the business need for those customer addresses is and considering not capturing these addresses to reduce the exposure to notification requirements.
- You say it wasn’t a breach, but can you prove it? To avoid notification, companies must prove that, even if they were attacked, no records were improperly accessed. To do so, they use systems logs, which keep track of user activity and show who accessed what records, when. Unfortunately, many companies don’t activate their systems’ logging or don’t configure them properly. Without logs, a company may be forced to assume a breach occurred because it cannot prove otherwise. CFOs don’t have to be network experts to ask, “do we have sufficient logging enabled to prove whether personal records have been accessed?”
- You can’t stop credit card fraud after a breach. For breaches that involve credit card data, reimbursing card companies for fraudulent transactions can amount to a staggering cost. New chip cards are designed to reduce fraud, and early data show they are having the intended effect. While there are many considerations for companies transitioning to chip cards, CFOs should factor reduced damages from data breaches into their cost-benefit calculations.
- If you’ve never done this before, get help from someone who has. Your breach response effort is not a good time to reinvent the wheel. Missteps happen fast and have serious consequences. One example is customer communications. After a breach, the pressure to communicate quickly with customers can be intense. But ineffective communications can cause panic, dramatically increasing the rate at which customers phone into call centers and sign up for credit monitoring. Data breach specialists, such as PR consultants or data privacy lawyers, often have seen as many as hundreds of data breaches and are highly practiced at helping you craft a genuine story that keeps confusion – and costs – down.
- You are going to be investigated by regulators. In the wake of a breach, a company may be investigated by a number of regulatory agencies. While it’s not guaranteed to occur, it is likely, and there are simple steps you can take to prevent sensational fines if it does. To start, CFOs should be strong advocates for implementation of the security controls recommended by external auditors or by regulators themselves.
- While the costs of a data breach can vary widely on a case-by-case basis, CFOs who understand the drivers behind the expense will be better positioned to take steps needed to protect their organisation when the unfortunate – but inevitable – happens.