Is Your Company Ready for a Data Breach?

Mark Millard  , Dan Healy , John Petzold


February 27, 2024

Data breach readiness

Every year, cyberattacks become more frequent, sophisticated and costly. According to IBM’s Cost of a Data Breach Report 2023, the global average cost of a data breach was $4.45 million, an increase of 15% over three years. Adding to their already devastating toolkits, today’s cyber criminals are increasingly harnessing the power of artificial intelligence to automate and scale their attacks, adding a complex new element to an already rampant problem. Many cybersecurity leaders believe that attacks leveraging AI will become more common.

Technical solutions to cyberattacks are the cornerstone of a sound cyber resilience plan, but the potential for damage to your company—whether material or reputational— can persist long after an organization resolves the purely digital aspect of an attack. Combining a comprehensive response protocol with a well-structured insurance policy still requires effective implementation to successfully emerge from a cyberattack. The following measures can help limit the impact of a cyberattack:

Develop a Data Breach First Response Protocol

Cyber incidents can take many forms. The most direct attacks result in employees being completely locked out of their networks, staring at blank screens or receiving a barrage of notifications indicating that malware or ransomware has encrypted their files. Those behind the breach may simply be asking for payment to remove the blockages, but more sophisticated attacks may result in the extraction of sensitive commercial information such as intellectual property or sensitive internal documents. Attackers can also take personal information from customer databases and personnel files to later sell or disseminate on the internet. In either scenario, until the breach is effectively resolved, all business activity must cease.

Social engineering attacks, which include phishing scams, contact spamming and DNS spoofing, belong to a category of breaches where valuable data is extracted by gaining access to networks through legitimate users. Employees may unwittingly divulge sensitive information, offering cybercriminals an indirect alternative to hacking into the system. These attacks are often more covert and can be harder to detect, but they can be just as devastating.

Every minute your networks are down could affect your organization’s bottom line and reputation. To ensure immediate response when a breach is detected, IT teams should have a detailed protocol in place, including the following actions:

  • Isolate the system: The first step is to remove all users from the network and restrict all access to it. Once a network is compromised, cybercriminals, legitimate employees or external third parties all have the potential to cause further damage.
  • Identify the breach: After the IT security team has isolated the network, their next task is to uncover the source of the breach. In the short term, identifying exactly how the breach occurred allows the IT team to stem the flow of damage. This will also provide essential takeaways in the breach’s aftermath as cyberattack guidelines and IT best practices are reviewed to mitigate damage from similar attacks in the future.
  • Evaluate the damage: At this stage of the process, IT teams will improve network safeguards and reinforce vulnerabilities, and they will also undertake a comprehensive accounting of the damage suffered. It is essential to quickly identify what, if any, data was stolen, if that data can be retrieved, and if anyone outside of the organization’s network may be affected. 

Data breaches are not a problem to be solved by IT teams alone. Your organization should have a response strategy in place, and employees not directly involved in securing the network should still be active in documenting key data points related to the breach. When your networks are down, business activity must stop. Time lost by employees while these issues are resolved should be recorded, along with any additional expenses resulting from a breach. This information will be useful not only for quantifying loss, but for analyzing how your organization can react more effectively to future attacks.

Notify Authorities

The notification process will look different depending on the nature of your organization and the scale of the breach, but there may be external reporting requirements after an attack. It may be appropriate to inform law enforcement—the National Security Agency recently founded the Artificial Intelligence Security Agency to combat threats posed by AI, for example—along with any third parties the breach affected. In the event of a cyberattack that results in material losses, the SEC requires all publicly traded companies to file an 8-K form within four days. In the interest of transparency, many companies choose to file an 8-K voluntarily, even in the absence of material losses.

Privately held companies are not subject to the same regulatory requirements around disclosure as publicly traded companies, but this good-faith practice of voluntary filing is quickly becoming a best practice across the board. Following the SEC's reporting guidelines promotes transparency and goes a long way toward minimizing potential liability to any third parties affected by a cyberattack should such details come to light in the future. Opting against disclosure can have lasting consequences for companies who fail to follow this de facto industry standard, including loss of brand trust and reputation damage.

Quantify Damages

Investing in appropriate insurance coverage with well-adjusted limits is essential to resilience, but it is not an umbrella solution to the risk of data breaches. When filing a claim to recoup damages, insurance companies will request proof of material losses suffered, further underscoring the need to rigorously document every aspect of a cyberattack. In its 2023 Cost of a Data Breach Report, IBM found that the average cost of a data breach for companies in the United States reached $9.48 million, exceeding the global average by more than $5 million. Even if your organization is adequately insured, an insurance company’s valuation can often be lower than the actual loss incurred, and this can lead to a costly resolution process while the valuation is disputed.

Update and Restructure Coverage

In addition to IT's rapid response plan, organizations should have an emergency playbook that is frequently updated and that all employees are trained to use. These are just the first lines of defense in the event of a cyberattack. A comprehensive and purpose-built cyber-liability insurance plan is critical in the recovery process and a cornerstone of a sound resilience plan. Just as with an emergency playbook, simply having a policy will be ineffective if leaders from across the organization do not thoroughly understand the types and limits of coverage in the insurance plan. Gaps in understanding and an inadequately written policy may lead to large, unexpected expenses and slower claims resolutions.

This could also exacerbate the breach's damage as its effects ripple out beyond the organization. For example, when an automotive services manufacturer suffered a breach that halted production at one of its main facilities, the manufacturer had a response protocol in place, and quickly shifted production away from the main facility to other sites, avoiding major disruptions to overall productivity. The company's response to the cyber incident itself was effective, and there was an expectation that its current insurance policy would cover any material losses. However, while the policy had been structured to provide high limits for business interruption coverage, there was no coverage for the costs associated with shifting production to other facilities. This organization had invested in an adequate amount of coverage, but the coverage was in the wrong area based on its needs and the resilience plan they already had in place for a setback of this nature.

Beyond the Breach

BDO’s 2024 CFO Outlook Survey found that cybersecurity is a leading cause of concern for business leaders, with 39% of respondents identifying both data privacy breaches and generative AI as major risk factors for the year ahead. When it comes to assessing the threat landscape for cyberattacks in 2024, it is not a question of if your organization will suffer a cyberattack, but when, and how you can best mitigate the damage from a potential breach.

Once the immediate danger of a breach has been contained, its source identified, and its damage quantified, there are opportunities for your company to improve cybersecurity policies and strategies. A holistic review of the event can lead to enacting new policies, investing in new technologies, and consulting with advisory professionals to mitigate potential damage and safeguard high-risk areas to enhance operational resilience when bad actors inevitably strike again.

Mark Millard is a principal at BDO and leads the firm's insurance risk advisory group.

Dan Healy is a partner in the litigation and arbitration practice group at law firm Brown Rudnick.

John Petzold is managing director for insurance claims and recovery at BDO.