Data breaches are increasing at a rapid speed. Here’s what can be done

Discussions around cybersecurity tend to focus on how data breaches occur, focusing on ransomware or similar. However, this fixation overshadows the lasting risk created by data exfiltration to victim organizations and individuals.

In 2022, 1,774 organizational data compromises impacted over 392 million individual victims globally. They compromised legally protected information identifying individuals accessing various services from financial and healthcare to social services.

Data breaches also directly impact the economy as their cost continues to rise over 20% year-on-year, amounting to 4-6% of the global gross domestic product.

Despite this increase, breach notices are becoming increasingly opaque and in 2022, 66% of public notices in the United States did not include information on impacted victims or the attack details, primarily because privacy rights are not codified at a national level. Further, post-breach services offered to consumers, such as credit monitoring, usually don’t marry up to the recommended post-breach course of action to minimize the risk of future exposures and breaches.

In the United States, data breach notification and privacy laws are set and enforced at the state level creating inconsistency in breach reporting. The lack of unified regulatory reporting requirements for breaches means businesses are only notified of breaches if specified in the vendor contract.

As well as the patchwork of inconsistencies in data handling, confidential business information is currently not subject to regulation. Organizations that don’t stipulate breach reporting requirements in the contract are subject to potentially significant third-party vulnerabilities.

The average global cost of a data breach to businesses reached $4.35 million in 2022. Despite the continuous financial sustainability risk of cyber incidents to organizations, they are more incentivized to protect their stock prices, so avoid including reporting clauses to prevent lawsuits and reputational damage.

Given that the cost of data breaches in the United States is more than twice the global average, $9.44 million, it’s prudent for the US private sector to engage regulatory bodies to codify the right to privacy in federal law and create consistency in the handling of data.

The European Union’s General Data Protection Regulation should be the model for enforceable regulations. Unlike section 5 of the US Federal Trade Commission Act, comprehensive data security law for the European bloc does not allow subjective interpretation of individual entities. The EU is a tougher regulator – to compare, in 2022, there were 356 breaches reported per day across the 27 member countries, compared to seven in the United States.

While the United States lacks a federal regulation that supersedes state laws, in the European Union, a clear data breach definition leads to a joint decision between law enforcement and the breached entity to decide the risk of harm. Further, the hefty fines and penalties for violating regulations results in more transparent disclosures and cooperation amongst affected stakeholders.

Traditionally, the insurance sector has led the charge in the cybersecurity risks assessment of an organization as cyber insurance has gained momentum. Given the rapidly evolving threat landscape, however, insurers’ business models have been challenged given the need to shift from point-in-time assessments to reassess the organizational risk continuously.

The lack of consistent definitions around what constitutes a risk or a risk of harm from a data breach directly impacts the insurer’s ability to assess cybersecurity risks. It also hinders its ability to assess adequate coverage and even analyze a claim when it is reported. Underwriters and claims professionals alike struggle with the rapidly emerging threats orchestrated by ever-evolving threat actors and find it challenging to keep up with appropriate ratings that, by definition, cannot be static.

Regulators must work closely with insurers to continuously enhance cyber insurance risk assessment models to reflect preventative controls aligned to emerging threats.

They should work collaboratively to develop a risk score based on data attributes leaked to determine the severity and frequency of harm and the cost that data breach has on society. Doing so will mean cyber insurance will emerge as part of an organization’s security defence strategy instead of simply a financial vehicle to offset risk and restore a business to its original operation.

One way that insurers and regulators can drive data breach awareness and reduction is by rewarding organizations that extend safeguards to consumer data protection as well as enterprise security. Recommended post-breach courses of action, including deploying tighter identity authentication measures, are often not provided by the breached organization. Some recommended measures could include the following:

Cyber insurance can further champion this business model by offering reduced premiums, no-cost pre-breach services and continuous underwriting that develops as threats and cyber risk management evolve. Cyber coverage is triggered by discovering unauthorized network access; to decrease the likelihood of unauthorized access, persons should implement defences available to them whether they are insured or not.

Cyber insurance policies could thus become suitable solutions for organizations before, during and after a data breach event and can protect the valuable assets of individuals.

And taking a victim-centred approach will further safeguard organizations and their customers from the impact of serious breaches.