Even as CFOs are increasing spend on IT security technology to prevent incidents, we know security is never guaranteed. It’s now incumbent upon CFOs to take on cyber risk through the lens of damage mitigation, not just prevention.
CFOs, however, are often challenged when they try to understand the true cost drivers of a cyber incident. For example, in the health-care industry, we’ve seen one organization receive a regulatory fine of $750,000 for exposing 90,000 patient records and another a fine of $3.2 million for losing 2,400. This apparent irregularity of costs extends to all industries.
While the drivers of data breach costs can sometimes be unexpected, they are not random. Here are six lessons CFOs can learn about breach costs and how to keep them down:
- You can’t lose what you don’t have. Simply put, you can’t lose a customer’s (or employee’s) data if you don’t have it. While this may seem obvious, it’s not trivial. In 2015, the health insurer Anthem and its affiliates served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers. Each of these individuals had to be notified and offered credit monitoring, driving up costs. The first lesson: You can potentially dramatically reduce your exposure by destroying records of past customers.
- You can’t mail letters if you don’t have an address. In the event of a breach, companies are typically required to notify affected individual via old-fashioned, handwritten “snail mail.” But they can use alternative methods of notification, such as email or public announcement, if they do not have a valid mailing address. Physical, written notifications can cost up to $2 per person, and the cost quickly adds up. It may be worth asking twice what the business need for those customer addresses is and considering not capturing these addresses to reduce the exposure to notification requirements.
- You say it wasn’t a breach, but can you prove it? Data from BakerHostetler shows that that in 44% of incidents, public notification is not required. To avoid notification, companies must prove that, even if they were attacked, no records were improperly accessed. To do so, they use systems logs, which keep track of user activity and show who accessed what records, when. Unfortunately, many companies don’t activate their systems’ logging or don’t configure them properly. Without logs, a company may be forced to assume a breach occurred because it cannot prove otherwise. CFOs don’t have to be network experts to ask, “do we have sufficient logging enabled to prove whether personal records have been accessed?”
- You can’t stop credit card fraud after a breach. For breaches that involve credit card data, reimbursing card companies for fraudulent transactions can amount to a staggering cost, from $3-$30 or more per card, according to the BakerHostetler study. New chip cards are designed to reduce fraud, and early data show they are having the intended effect – MasterCard reported a 54% reduction in counterfeit card fraud costs at retailers who have switched to chip cards. While there are many considerations for companies transitioning to chip cards, CFOs should factor reduced damages from data breaches into their cost-benefit calculations.
- If you’ve never done this before, get help from someone who has. Your breach response effort is not a good time to reinvent the wheel. Missteps happen fast and have serious consequences. One example is customer communications. After a breach, the pressure to communicate quickly with customers can be intense. But ineffective communications can cause panic, dramatically increasing the rate at which customers phone into call centers and sign up for credit monitoring. Credit monitoring alone can cost $5 to $30 per person. Data breach specialists, such as PR consultants or data privacy lawyers, often have seen as many as hundreds of data breaches and are highly practiced at helping you craft a genuine story that keeps confusion – and costs – down.
- You are going to be investigated by regulators. In the wake of a breach, a company may be investigated by a number of regulatory agencies. While it’s not guaranteed to occur, it is likely, and there are simple steps you can take to prevent sensational fines if it does. To start, CFOs should be strong advocates for implementation of the security controls recommended by external auditors or by regulators themselves. The $3.2 million fine cited earlier came on a hospital’s second breach in a short span, over which they had knowingly refused to make the improvements previously recommended to them.
While these steps will help mitigate the cost of a data breach, for many CFOs, new cyber threats such as ransomware are a growing threat. Finance chiefs should be aware that one of the first steps in response to a ransomware incident is to determine whether the attack also constitutes a data breach (that is, if the ransomware attackers have access to the encrypted files). If the incident is also considered a data breach, the actions above are equally relevant.
While the costs of a data breach can vary widely on a case-by-case basis, CFOs who understand the drivers behind the expense will be better positioned to take steps needed to protect their organization when the unfortunate – but inevitable – happens.