Last week it was announced that both British Airways and hotel group Marriott International were to be fined by the Information Commissioner’s Office (ICO) under the GDPR in relation to data breaches.
Marriott, a US company, was told it was getting a £99 million fine for an incident in November 2018 when 339 million of their customers globally, 30 million from the EU, had their details exposed. Meanwhile, a record £138 million fine for British Airways, which saw hackers access 500,000 of its customers’ data, was a bigger shock to many.
Richard Breavington, partner at professional services firm RPC, said while the numbers were quite big, we could see even bigger fines dished out in the future.
“They are surprisingly large figures although even those are well short of what the maximums could be,” he said. “They probably did take people by surprise in terms of the sheer size.”
Breavington believes that GDPR has brought attention to the issue of data security, with more people and businesses being educated about its importance.
“I think people generally have an understanding now that data has a value, whereas when we were dealing with these sort of things three or four years ago people didn’t really get the concept of a data breach,” he explained.
Breavington said that RPC’s research has shown that in the year since GDPR was introduced, there has been a 175% increase in data breach whistleblower reports to the ICO, which he credits to people being more informed.
So, in light of this increase in whistleblower reports, and the large fines dished out by the ICO, what can businesses do?
“I think there’s some real value in cyber insurance,” he said. “It’s surprising that cyber insurance has not penetrated UK businesses as much as it might.
“In a recent government survey around 12% of UK businesses said they had cyber insurance in place but 43% of UK businesses were being targeted by cyberattacks. That doesn’t stack up.”
Cyber insurance has a number of advantages, according to the expert, one of which is simply that during a crisis situation, an insurer has a number of tools at its disposal to help a business deal with the situation.
“If you do have a cyber breach then losses can arise, whether you can insure against fines is a bit of vexed subject,” Breavington said. “But the point is dealing with a cyber breach quickly and effectively is going to be important whatever way you look at it, and insurance can help you with the cost of doing that and the practicalities of doing that.”
The other advantage of cyber insurance, Breavington explained, is insuring against losses incurred.
“Then of course there are the losses that can flow from a breach quite apart from that - business interruption losses can be quite significant,” he said. “You may have claims against you or losses that arise from data that has been lost.”
Another example of business interruption, a “classic” one in Breavington’s words, would be an attack in which hackers attach ransomware to a system so that everything becomes encrypted, and then demand a sum of money to unencrypt the system.
“You’re reliant on your systems, that can be a business interruption loss from moment one really, and that’s the sort of thing cyber insurance can help with as well,” he said.
Ultimately, the key message is that the vast majority of UK businesses that don’t have cyber insurance are taking a huge risk, especially given the new GDPR fines being given out for data breaches.
“Gone are the days when you can put data on the backburner,” Breavington said. “Or if you are tipped off that there is a potential data breach closing your eyes to it or even not having a process in place to deal with it upfront, that is going to be really risky and is not advisable.”