After an organisation’s network is breached, putting out the flames is just the first step in a long, painful and costly journey to recovery.
There’s still the wreckage to sift through, investigators to perform analyses, insurance claims and, of course, a business to reconstruct and secure. It isn’t business as usual once operations are restored; a breach can plague an organisation for years.
As soon as a data breach is revealed, its impact on stock price and earnings is clear. On the same day that news of the Equifax data breach broke last September, the company stock price dropped five per cent - the average day one decline identified by a 2017 Centrify-commissioned Ponemon study on the impact of data breaches. Equifax’s stock price dropped 13-14 per cent the next day.
This correlation between a reported data breach and a decline in company value is of particular relevance in Australia, where its Notifiable Data Breach legislation took effect in February this year.
In the first six weeks of the law, the Office of the Australian Information Commissioner reported that it received 63 notifications of data breaches, with healthcare providers making up almost a quarter of the mandatory notifications. Finance institutions composed 13 per cent of those reports.
But problems don’t stop there. In the months following a breach, litigation notices arrive, kicking off a process that could drag on for years. In just the past two years, organisations in the US paid nearly US$370 million to settle data breach lawsuits. Among them, two settlements totalling nearly US$45 million by Home Depot, and a US$28 million settlement by the poster-child of data breaches, Target.
But the largest class action lawsuit in history belongs to Yahoo! A week after it announced a 2014 data breach had compromised the private information of 500 million users, attorneys filed a negligence lawsuit against the tech giant for failing to protect consumers. The potentially devastating effects from the loss of personal information can mean huge settlements for victims.
Then shareholders arrive with flaming torches. Investors are increasingly looking to hold company directors and officers accountable for breaches, citing violation of fiduciary duty, waste of corporate assets, and gross mismanagement.
This investor discontent is evident in Australia in angry shareholder responses to the disturbing revelations emerging from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Shareholder lawsuits are a red flag for company directors, a warning that they must keep on top of cybersecurity issues. This type of litigation is likely to attract increased legal scrutiny as lawyers seek to capitalise on the chronic cybersecurity risks faced by companies.
After a data breach, companies may find that cyber insurance is not the panacea they hoped for.
As data breaches occur with increasing frequency, insurance companies are looking to cash in on what could be a multi-billion-dollar market. But it’s a new frontier and the industry is grappling with the fact that a single vulnerability could trigger billions of dollars in losses. So buyer beware!
For organisations that go this route, it’s not always clear what such coverage entails, where existing liability policies end and cyber insurance begins, and whether they’re comprehensive in terms of exposure.
After Sony went to court to force its insurers to cover the PlayStation Network breach, a judge ruled that the policy covering the “publication” of private information could not be triggered by hackers. The parties eventually settled out of court before an appeals panel ruling.
There will certainly be more litigation over what is and isn’t covered in the future.
Given the huge financial and reputational cost of recovering from a data breach, company directors and executives are well served by allocating the appropriate attention, resources and budgets to securing their corporate cyber defences.
Defending the network borders has not worked for years - as demonstrated by the breaches cited in this column - so organisations need to completely rethink their approach to security.
With the ubiquity of mobile access, cloud services and distributed enterprises, the foundation for protecting your business needs to be identity and access management rather than network firewalls.
Increasingly, cybersecurity companies are advocating a model of Zero Trust Security, which assumes that users inside a network are no more trustworthy than those outside the network. By verifying every user, validating their devices, and limiting access and privilege. Zero Trust Security both reduces the risk of a data breach occurring and enables organisations to isolate its impact if one does occur.
Cybersecurity clearly shows the wisdom of the saying “an ounce of prevention is worth a pound of cure”.