Cybersecurity – it’s a top concern that’s only getting bigger for risk experts, but corporations across the board are still failing to put words into action. With increasing likelihood of a surge in data-breach litigation in the US, and General Data Protection Regulation (GDPR) looming over Europe, risk managers have new tools to put incident-response planning at their fingertips.
Risk experts across 80 countries ranked cyber incidents the second most significant risk to business in Allianz’s Risk Barometer 2018. The threat isn’t over-hyped – according to research firm Ponemon, the average cost of a data breach in the US soared to US$7.35m last year.
Yet the vast majority of companies don’t have a cyber incident response plan in place. Fewer than a third of respondents in a new Marsh and Microsoft survey said they had a plan, despite identifying cyber security as a top risk.
“The reality is that small, medium, and large businesses still don’t have plans in place,” says Steve Anderson, vice president and product executive of privacy & network security at QBE North America. “It is amazing how often I come across corporations in all three of those buckets and they don’t even have a plan. There’s a lot of talk, but there still aren’t a lot of buyers and insureds that have the proper framework in place from a risk management perspective.”
External support services and insurance companies are continuing to develop their offerings to risk managers in the cybersecurity space, but aren’t finding too many companies with plans to improve upon. “[Corporations] haven’t even gotten to the point where they need to revise [their cyber incident response plan] or add to it, because they don’t even have it,” says Anderson. “The hurdle isn’t for us to say you need to add these specifics, the challenge is just to have a plan in place. “
Flashpoint: Litigation landmines
Regulatory and judicial bodies across North America and Europe are in primed to hit companies hard in the aftermath of data breaches this year. Historically, lawsuits filed against US companies whose data had been stolen haven’t been ruled consistently. That’s because the plaintiffs have had trouble proving that data breaches caused sufficient injury-in-fact. But recent court decisions point to signs of change.
For example, a 2015 decision involving retailer Neiman Marcus determined that the fear of future harm caused by the breach was sufficient for data breach claimants to establish standing. The company ultimately settled and paid a fine of US$1.6m. A growing number of US courts have reached that conclusion, as the consequences and lasting damages following data breaches become more widely recognised. The recent trend poses a risk to corporations as plaintiffs’ counsel are inspired by higher chances of success in class-action lawsuits, according a white paper released by QBE.
In Europe, GDPR is set to take effect in just a few months’ time. The regulations will apply to companies anywhere in the world handling data of people living in the EU. “GDPR is changing things,” says Anderson. “Now we’re going to have to be one big happy family.” He predicts that the regulators will be keen to slap a fine – up to 4% of worldwide annual revenue or US$23.8m – on the first company to slip up. “Those are [the companies] that the commission is going to go after – large US multinationals that they can make an example of early on.”
Cyber planning made easy
With frequency and severity of data-breach litigation on the rise, risk managers have yet another reason to put a cyber incident response plan into place. For risk managers still struggling to implement comprehensive cyber response plans, carriers are offering new tools with added ease and flexibility.
One such product is Breach Connect, a cloud-based product that QBE just announced will be included in its cyber policies. The tool was designed with the goal of developing a cyber response plan as painless as possible for risk managers. “It simplifies the process,” says Anderson. “In the past, [risk managers] would hire a consultant and go through weeks of interviews and thousands and thousands of dollars.”
The tool gives risk managers access to customizable plans anytime, anywhere, from any device. “They can make it as complex or as simple as they want,” says Anderson. “At the minimum, it creates a basic framework.”
At least 2 ‘related stories’ links