Data breaches and cybersecurity incidents pose a significant risk to businesses across all scales. According to the Aon Center for Strategic and International Studies in 2015, the global economy incurred an annual cost of US$445 billion due to cybercrime. Furthermore, Cybersecurity Ventures predicts that global cybercrime will escalate to 10.5 trillion USD by 2025, surpassing their previous estimate of 3 trillion USD in 2015. Regardless of the specific figure, it is evident that we are dealing with substantial sums.
In the European Union, the General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Directive are two crucial legislative acts that enforce substantial penalties on organizations that neglect to adopt suitable security measures or neglect to inform the competent authorities about a data breach or cybersecurity incident.
Key Facts
- The GDPR requires data controllers to notify the relevant DPA within 72 hours of becoming aware of a data breach.
- Failure to comply with the GDPR can result in fines of up to 2% of annual global turnover or €10 million, whichever is higher.
- The NIS Directive applies to operators of essential services and digital service providers with 50 or more employees and an annual balance sheet turnover of over €10 million.
- Non-compliance with the NIS Directive can result in fines of up to 4% of annual global turnover or €20 million, whichever is greater.
Implications for Businesses
- Businesses should take steps to comply with the GDPR and NIS Directive, including:
- Implementing appropriate security measures to protect personal data and essential services from cyber-attacks. We at Elasticito are experts in cyber risk management and can show you how.
- Having a plan in place to respond to data breaches and cybersecurity incidents.
- Notifying the relevant authorities of data breaches and cybersecurity incidents in accordance with the GDPR and NIS Directive.
Cyber Liability Insurance
I have previously provided a more comprehensive analysis of cyber insurance and its escalating expenses. However, businesses can effectively manage the financial and reputational hazards linked to data breaches and cybersecurity incidents through the utilization of cyber liability insurance. This type of insurance encompasses various expenses, such as:
- The cost of notifying affected data subjects and regulatory authorities.
- The cost of investigating and responding to data breaches and cybersecurity attacks.
- The cost of defending against and settling data breach and cybersecurity attack claims.
- The cost of reputational damage.
Conclusion
Data breaches and cybersecurity incidents pose a significant danger to businesses, regardless of their size. To mitigate this risk, businesses should adhere to the GDPR and NIS Directive, monitor their vendor risks and internal cyber risks through automated and continuous monitoring, establish automatic alerts for risk detection (our assistance is available), and consider acquiring cyber liability insurance. These measures enable businesses to safeguard themselves against potential fines and other associated risks.