If there is one risk that keeps U.S. business leaders up at night, it could very well be the risk of cyber attacks and the affect they would have on their businesses.
The World Economic Forum’s Global Risk Report 2016, released in January, confirmed this apparent insomnia. In a survey by the organization, executives from around the world were asked to identify the five global risks for which they were most concerned within the next 10 years, choosing from the set of 28 global risks presented in previous year’s report.
In the United States, the top risk cited by executives was cyber attacks. Not far behind was data fraud or theft.
What is it about cyber security that has business leaders so worried?
There are three key factors that keep cyber on the minds of executives: Rising costs, headlines and government regulations.
Rising cost of cyber
The cost of data breaches continues to rise in the United States as well as the rest of the world.
In its most recent “Cost of a Data Breach Study,” the Ponemon Institute surveyed 350 companies in 11 countries, and the research revealed that the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in 2015.
The Ponemon Institute further identified three distinct areas that contribute to the rising costs of data breaches:
- Cyber attacks have increased in frequency and in the cost to remediate the consequences. The cost of data breaches because of malicious or criminal attacks has increased, and this root cause now makes up 47% of all data breaches.
- The consequences of lost business are having a greater impact on the cost of data breach. The cost increased from a total average cost of $1.33 million last year to $1.57 million in 2015. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.
- Data breach costs associated with detection and escalation increased. These costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.
A major data breach can dominate news headlines for weeks and deal a direct blow to a company’s reputation. It has been said that for any businesses that want to be recognized in the marketplace, there is no such thing as “bad” news, but executives whose companies have been victimized by a large data breach would likely disagree. U.K.-based fraud prevention company Semafone last year found that a majority of people would not do business with a company that had been breached, especially if it had failed to protect its customers’ card data. In the survey, 86% of 2,000 respondents said they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details.
Of course, one of the main reasons these data breaches make headlines is that U.S. companies are required by law to disclose when a data breach has occurred. Forty-seven states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. These security breach laws typically have provisions regarding who must comply with the law, definitions of “personal information,” what constitutes a breach, requirements for notice and exemptions.
The European Union is expected to adopt new data protection rules this year, to take effect in 2018. (Photo: iStock)
U.S. executives were not alone in their concern about cyber attacks. According to the survey, executives in seven other countries said that cyber attacks are the risk of highest concern: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore and Switzerland. Government entities in at least two of these countries have recently been disrupted by cyber attacks: the U.S. Office of Personnel Management and the Japanese Pension Service. The 2015 Fortune 500 CEO survey found that cyber security came second when CEOs were asked about their companies’ biggest challenges.
This concern about cyber security is likely to spread throughout the European Union in the coming years. The EU is expected to adopt the General Data Protection Regulation early this year, and it will take effect in 2018. That will give businesses time to comply with the regulations, which include:
- Requiring companies to notify the EU government of data breaches in 72 hours of learning about the breach;
- Firms handling significant amounts of sensitive data or monitoring the behavior of many consumers will be required to appoint a data protection officer;
- Fines up to €20 million or 4% of a company’s global revenue for its non-compliance;
- More rigorous requirements for obtaining consent for collecting personal data; and
- Requiring a company to delete data if it is no longer used for the purpose it was collected.
Protection and resiliency
It is clear by now that business executives around the globe should be concerned about cyber attacks and the impact they could have on their businesses. The risk of having security and privacy data lost or stolen has grown exponentially in recent years, largely because of the increased use of the Internet and the way that ways that people, businesses and even things are interconnected.
Businesses know now that they cannot hope to prevent all cyber attacks. Given the types of vulnerabilities used by attackers and their methods, many attacks and intrusions are not immediately discovered — some are recognized only months and in some cases years later.
Therefore, the emphasis needs to be on streamlining mechanisms for early detection, response and recovery, to mitigate and better manage the consequences — limiting the damage and ensuring business continuity. Business leaders must develop a mindset of resiliency.
Having a data security response plan in place is critical. Strong security and breach detection is the baseline. But management should encourage a mindset of resiliency at every level — from the mailroom to the board room. They should also look beyond their own walls and collaboratively vet the security controls and business continuity plans of vendors and other third-party providers they depend on.
The companies that have identified all the possible risks and have an action plan for these scenarios will prove the most resilient and quickly return to meeting the expectations of their customers and their shareholders.
Lori Bailey is the global head of special lines for Zurich General Insurance.