Data breaches – what are the costs?
Do you have a cyber insurance policy for your business? Guest blogger Tom Pelham, a Partner at global law firm Kennedys, discusses the costs of data breaches and the importance of having cyber insurance in place.
Data breaches, where a breach of security leads to a third party having access to confidential personal or commercial data, are something we’re seeing increasingly in the news.
The National Cyber Security Centre has reported that seven of the UK’s biggest banks suffered cyber attacks last year, costing hundreds of thousands of pounds, and criminal cyber attacks on UK businesses increased in 2017. Businesses are becoming more and more aware of the threat of cyber risks and it’s important to know the costs involved and how an insurance policy can help.
The cost of responding to cyber breaches can be surprisingly high due to the number of professional teams involved in managing the response and the wider exposures that arise. Firstly, a legal team will need to investigate what has happened and what data has been lost. They can offer advice and notify affected customers and the Information Commissioner’s Office (ICO) - the UK's independent body set up to uphold information rights. They can also help with any future litigation such as defending third party claims and dealing with recovery actions. The amount of legal assistance required depends on the severity of the breach, but the legal costs for dealing with major breaches can easily run in tens of thousands of pounds.
In the meantime, an IT forensics team will need to deal with backups, data recovery, securing the infrastructure and providing technical details of the breach to the ICO, all of which could easily cost up to £15,000. A PR team could also be needed to help manage the media response, advise on future reputational management and help with internal messaging to reassure staff. In the context of a major data breach, that advice could easily cost up to £10,000.
However, the costs of dealing with a data breach do not stop at employing a breach response team. Customer gestures (which are offers made to affected customers) are another expense to consider, as they can help to protect data subjects from fraud and persuade customers that you are taking the data breach seriously. Businesses might need to offer dark web and credit monitoring, discounts, free upgrades or experience enhancement after a breach. Businesses often choose to offer dark web and credit monitoring tokens to those affected, but those typically cost around £10 per customer who takes up the offer.
In large data breaches, businesses can spend hundreds of thousands of pounds trying to protect customers who are at risk of fraud following the breach. Then there is the inevitable business interruption caused by the lull in customer confidence and the shift in focus to deal with the breach as opposed to progressing the business and generating income. Finally, GDPR introduces the prospect of affected data subjects bringing group actions against the organisation that has lost the data. These exposures can quickly exceed the response costs.
As the combined costs of dealing with the aftermath of a major cyber breach frequently adds up to close to £1million, cyber insurance is something that can’t be ignored. One of the greatest benefits of a cyber policy is that it comes with access to a 24/7 breach response team, to help insureds contain and deal with the potential fallout from an attack. Cyber breaches are potentially extremely expensive for businesses, so cyber security and effective risk management must be a priority, whatever the size of the company.
Tom Pelham specialises in cyber and defendant professional indemnity, with a particular focus on defending professionals from the cyber, technology and media fields. Visit www.kennedyslaw.com for more information.