fbpx

The Consequences of a Breach: Can your business survive a cyberattack?

PROLINK Blog

The Consequences of a Breach: Can your business survive a cyberattack?

May 14, 2021

Graphic showing the consequences of a cyberattack

Capital One, Microsoft, Marriott, and more—cyberattacks on major companies seem to dominate the news. And yet, according to Verizon’s 2019 Data Breach Investigations Report (DBIR), nearly 43% of breach victims are small-to-medium sized businesses (SMBs). Findings from the Insurance Bureau of Canada (IBC) even show that nearly one in five businesses (18%) have been affected by a cyberattack or data breach in the last two years.

Graphic showing the consequences of a cyberattack

Despite the surge in attacks worldwide, the general consensus remains the same: SMBs aren’t doing enough to bolster their cyber hygiene. 44% of small businesses have no defense against security incidents and 66% have no insurance to help them recover if an attack occurs, citing insufficient personnel and lack of resources as the main deterrents—and that was before the onslaught of COVID-19.

We know what you’re thinking: you’ve heard it all before. It’ll never happen to you. And even if it does, you’ll be fine, right? But the truth is: when client data is compromised in a breach, managing the aftermath can be time-consuming, costly, and downright disastrous for your brand image. Read on to find out why.

1. Regulatory Violations

To combat the growing threat of cybercrime, government and industry bodies across the world have introduced extensive privacy laws for all organizations that store personal data. These mandates, like the European Union’s General Data Protection Regulation (GPDR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and more, are intended to strengthen accountability for unsecured data and penalize companies for the failure to safeguard, retain, or dispose of any personal information in their custody. Additional regulations may apply to organizations that collect personal health information, like PHIPAA in New Brunswick, PHIA in Newfoundland and Labrador, PHIA in Nova Scotia, and PHIPA in Ontario.

 

Although legislations vary between regions, they share some key points when it comes to data collection:

  1. Jurisdiction: Data is subject to the rules and requirements of the region in which it is processed and where the client resides—not the business. This is a crucial point for any organizations that employ third-party software or cloud-based services, which may entail the cross-border transfer of information.
    To learn more about how cloud computing complicates jurisdictional privacy laws, read our whitepaper: The Cloud: Not Just a Place to Daydream Anymore.
  2. Oversight: Companies must, at all times, know where their data is located, who has access to it, and how it is protected.
    To learn more about PIPEDA’s requirements, read: All About PIPEDA: How do privacy laws affect my business?
  3. Notification: In the event of a privacy breach, companies MUST alert all victims and appropriate governing bodies.

 

Unless companies take reasonable steps to secure client data, they risk severe penalties for compliance violations. If an organization is found negligent of an offence under PIPEDA (or any applicable provincial legislation), they could be held liable for up to $100,000 in fines.

And that’s just the tip of the iceberg. Privacy laws will only get stricter from here on out. If the proposed Digital Charter Implementation Act, 2020 (DCIA) is passed, penalties could reach as high as $25 million.

 

To learn more about the DCIA, Canada’s proposed new privacy law, and the potential overhaul of PIPEDA, read: Privacy Law Update: Are you ready for privacy law reforms?

2. Financial Loss

Privacy breaches almost always end up being more pricey than anticipated. The Desjardins Group’s 2019 breach ultimately cost the organization a staggering $108 million, well over their initial estimated total of $70 million. While that’s certainly an exceptional case when it comes to breach expenses, the Ponemon Institute’s 2020 Cost of a Data Breach Report still puts the average global total cost of a data breach at $3.86 million.

Simply put, a data breach can be crippling for SMBs, most of which have limited cybersecurity budget to begin with. In addition to regulatory fines, detection and escalation fees can add up quickly, with records involving customer PII (personally identifiable information) costing $150 per loss. That means if even 100 of your clients are affected, you’ll be out a minimum of nearly $15,000 in breach expenses already.

Breach remediation also usually includes fees for: legal counsel and defense, data restoration, public relations assistance, credit monitoring, and more. Plus, there’s always a possibility that victims may sue for damages, injury, or harm caused by the breach, compounding your organization’s overall losses.

 

To learn more about the cost of a data breach, read: The Cybersecurity Stats You Should Know in 2020.

4. Operational Disruptions

Business interruption costs can make matters worse. If your organization suffers a breach, you’ll need to hire a forensics team to determine how and when it occurred, what systems were bypassed, and how much information was compromised. During this review period, you might not be able to access your records, or they may be tied up in investigation or a litigation for a significant length of time.

Either way, there’s a chance you’ll have to shut down until the source of the breach—and an appropriate solution—are found, which could take days, weeks, or even months. In fact, the average life cycle of a breach from discovery to containment is 280 days. When a malicious attack is involved, that figure jumps to 315 days. Could your business comfortably survive being closed down for that long? Keep in mind: the longer your business is closed, the more likely clients are to leave. And the subsequent decline in revenue might prevent you from making a full recovery at all.

While system downtime will differ based on the organization’s size, industry, and available resources, an operational disruption of any kind will probably have a sizable and potentially devastating impact on business productivity.

5. Reputational Harm

The effects of reputational harm are severe, long-lasting, and often irreparable. At an average of $1.52 million, lost business remains the highest cost component of a breach (and has been for the last six years), comprising a whopping 40% of remediation expenses.

Why? When it comes to data security, word travels fast. And diminished goodwill, bad press, and a drop in share price, can arguably do more long-term damage than forensics or notification costs, especially if a company fails to take swift action, apologize to, or even notify breach victims right away. Once you’ve lost that trust, it’s not easy to regain, or attract new clients, employees, or investors for that matter. Highly regulated industries such as healthcare, finance, and pharmaceuticals are even more susceptible to steep turnover or churn rates since clients generally have greater expectations for privacy.

Still, companies continue to underestimate the effects of negative publicity. In 2019, CIRA’s Cybersecurity Survey indicated that only 13% of businesses felt that a cyberattack harmed their reputation. This is in sharp contrast to CIRA’s Canadians Deserve a Better Internet Report released the same year in which over 80% of Canadians said they wouldn’t continue to do business with an organization if their personal information was exposed in a cyberattack.

The Bottom Line

Regardless of the size or industry, all organizations, collect, store, and transmit vast amounts of confidential data, including:

  • Corporate data (e-signatures, valuable third-party connections, user credentials);
  • Intellectual property (project files, accounts); and most importantly,
  • Employee and customer PII (personally identifiable information).

And any business that collects, stores, and transmits confidential data is at risk of a privacy breach, particularly those that have an online presence, use e-commerce as a distribution method, or have company devices that hold personal or commercial information.

Given the global conditions, more companies are reliant on digital solutions, like email, cloud services, online forms, and more, than ever before. But these very technologies also boost their vulnerability to attack. And as more businesses expand their virtual presence, we will likely continue to see a steady and aggressive influx of cyberattacks.

 

To learn more about the current cyber risk landscape and how your business might be vulnerable, read: Cyber Risk Trends 2021: 10 Threats to Watch Out For.

Most SMBs believe that their business insurance will restore their records for a small add-on fee, but your general liability policies aren’t specifically designed to address cyber risk and won’t respond to cyberattacks unless explicitly stated.

That’s why it’s critical for all organizations to adopt a risk management approach that focuses on cybersecurity AND cyber insurance to ward off any potential threats, shield their digital assets, and offset some of the financial costs.

 

For a list of standard cybersecurity measures, read: COVID-19: How to Keep Employees Cyber-Safe While Working From Home. For maximum protection, consider Data Security and Privacy Breach Insurance coverage. A dedicated, standalone cyber policy can help you access:

  • Funds for legal expenses and third-party damages;
  • A breach coach who will guide you through the legal process of navigating a breach under attorney-client privilege;
  • An IT forensic investigations team to help you determine the size and scope of the breach;
  • Funds to set up credit monitoring and notifications for affected parties;
  • A team of PR consultants to help manage your organization’s reputation;
  • AND more!

 

Need guidance? PROLINK will help you plan and protect. We can share what steps others in your industry are taking and advise you based on your unique operations.

 

To learn more about your cyber exposures, connect with PROLINK today or watch our video: What kind of businesses don’t need cyber insurance?


PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.


    Personal InsuranceCommercial EnterpriseAssociations & Affinity GroupsLife & Benefits


      Personal InsuranceCommercial EnterpriseAssociations & Affinity GroupsLife & Benefits

      Search
      Generic filters
      Exact matches only