August 2, 2018

The Cost of Breach Response

Welcome to Part 3 of our Breach 101 Blog Series:
The Cost of Breach Response

Upon learning about a potential cyber attack or data breach, a company is faced with a to-do list that seems infinitely long. The company needs to identify the vulnerabilities that led to exposure and take necessary, reparative steps for mitigation.

The incident must also be communicated to regulators and stakeholders. Those costs add up quick. Last year, the price tag for a cyber breach reached an all-time high, with the average cost rising from $217 million to $221 million. And, when not handled properly, these compliance costs are key drivers in the non-compliance costs we’ve been discussing here – from regulatory fines to legal costs.

Here’s a few of the major cost drivers:

  1. Finding and Fixing the Specific Vulnerability
  2. Identifying your company’s security vulnerabilities is critical after a cyber-attack. Some can be quickly identified. Others however, like accidental exposure due to human error, may be harder to determine.

    Once the cause of the breach has been identified, immediate action must be taken to make it secure. The fix can be as straightforward as implementing new employee privacy policies or as in-depth as overhauling entire data processing systems. Typically it’s more complicated than not, costing valuable time and money until everything is in working order.

  3. Understanding the Impact
  4. In addition to knowing what went wrong and how to fix it, the breached company needs to figure out what information and data was improperly accessed, copied, or exfiltrated; who was impacted by the unauthorized activity; what notification agreements and expectations are in place. This is critical for the disclosure process. Companies face the most heat if this information needs to be corrected down the road. It can require additional notification costs, not to mention a major hit to customer trust.

  5. Customer Notification
  6. In the United States there are federal and state laws that dictate when and how a company must notify its affected customers after a data breach. From a national level, this notification must be done within 60 days of when the incident is discovered. However, these laws dictate only the bare minimum of notification. Outside of the legally required letter to customers that states the details of the breach, companies can also provide subsequent updates, creating and maintaining breach-specific websites, and, depending on the nature of the breach, go so far as to set up temporary call centers to handle any incoming questions. Along with the direct costs necessary to fund these efforts, there are also costs associated with the amount of time they take.

  7. Long Term Planning
  8. While fixing the immediate causes of a data exposure is necessary to prevent a repeat of the same incident, it doesn’t ensure that the company is completely safe from all cyber threats. Working with their breach coaches, a company should conduct a full audit of all potential vulnerabilities and take the steps necessary to prevent future exposure. Additionally, the organization should take time to analyze what they learned from the initial event and channel it into a response plan that will help dictate the handling of any future incident.

This is the third blog in our Breach 101 Blog Series: “The Cost of Non-Compliance”. The other posts explore costs associated with government fines, legal fees, reputational implications, and stock prices.

Top Takeaway for Individuals:

If your personal or financial information was compromised in a data breach, the organization is legally obligated to notify you. Be mindful that laws dictating the steps a company must take may vary between states, so it is not always immediately clear when that notification will happen. Staying aware and being proactive is vital to protect your sensitive information. Signing up for identity monitoring services helps ensure your personal information is protected, and that you will be notified immediately upon its discovery.

Takeaways for Companies:

The cyber incident response process is even more costly when the company does not have a cyber security firm on speed dial with knowledge of the IT and data systems in place. Likewise, failure to plan from a communications perspective means that a company is starting from ground zero in its understanding of the disclosure and stakeholder communications process. However, proper preparation can ensure that these costs are less of a shock. Effective plans, coupled with the guidance of a breach coach, can also mitigate risk by ensuring that the notification process is compliant with any and all legal and regulatory requirements.