CEO & C-Level Executives Role in Data Breach Management by Nikos Georgopoulos
Because of the nature of the information managed and stored, cyber-breaches and cybersecurity are sources of insecurity for every company. As we have already seen in the most recent data-breaches, the way an organization handles a crisis, determines extensively if the CEO and the other C-level executives (CIO, COO, CΜΟ, CRO, CFO etc.) remain at their positions.
In the following figure, we can the distribution of responsibility in case of a cyber-breach in an organization according to a research of the NYSE Goverment Services.
Source: A 2015 SURVEY Cybersecurity in the Boardroom
The internet has come a long way since its development began in the 1950s. Nowadays, it is more a necessity rather than a luxury. Modern companies rely on it for several reasons and it is undoubtedly one of the most important tools for communication and data sharing, creating new business opportunities for companies because it offers the opportunity to communicate effectively with the distribution networks, the end users, it simplifies the operating procedures and gives access to new market segments with lower cost products and services.
The ease of access, its global and anarchic structure, the anonymity and our growing dependence on it, for all the aspects of our lives (economical, educational, communications), makes it also a perfect instrument for criminals, terrorists and state-sponsored hackers. Often, Web sites and computerized services are attacked by various groups and individuals, with a wide range of targets, such as: financial reports, staff payroll, customer data bases, passwords , trade secrets , marketing plans , projects to create new products and services, cooperation agreements with distribution networks, healthcare data, credit card numbers and bank accounts , customer property data , customer personal financial data
They can also create problems in smooth functioning and availability of the company's systems through cyber-attacks leading to distributed denial-of-service (DDoS) and altering the quality of the company's data.
With an estimated cost of $40,000 per hour, the average DDoS cost can be assessed at about $500,000, according to a study of Incapsula. Costs are not limited to the IT group, but also have a large impact on units such as security and risk management, customer service, and sales, while such an incident may last from few hours to several days. More specifically, according to the same survey, the 63% these attacks surpassed the 6 hours, while 8% took place for one to seven days and 4% for over 7 days.
Source:Incapsula
The use of cyberspace creates a significant operational risk to the companies. In order to manage this risk, apart from the IT solutions offered, the security policies and the procedures followed by each company, the (cyber) insurance might form an indispensable tool.
With the implementation of the new European legislation on the protection of personal data, companies that will fail to protect their data will face fines of up to 2 % of the company's annual global revenues for violation of the law.
According to a study by the Ponemon Institute in 2014 the systems violations and the loss of confidential information is one of the top three reputation spoilers following the poor customer service and the environmental incident.
Factors with the greatest impact on a company’s reputation
Source: The Aftermath of a data breach Consumer Sentiment. Ponemon Institute Report
Also in the study "Cyber Claims Study 2015" conducted by NetDiligence we can observe the causes leading to violation of systems and loss of confidential information from insured US companies which suffered data breaches.
More specifically, Hackers were the most frequent cause of loss (31%), Malware/Virus were a distant second (14%), followed closely by Staff Mistakes (11%), Rogue Employees (11%), System Glitch (5%), Theft of Hardware (3%), Theft of Money (1%) and Others(7%).
Source: Netdiligence Cyber Claims Study 2015
One of the most effective management tools in case of a data breach is the Cyber Insurance. The latter, apart from the financial compensations, provides access to a team of specialists (lawyers, communicators, forensic investigators, etc.) who have faced numerous incidents and may in cooperation with the Group Trespassing Incident Management System of the company to effectively manage incidents of violation to limit the financial impact and protect the corporate reputation.
In any case, the CEO in order to address these incidents should have complete, accurate and timely information about the incident.
It is necessary for the CEO to have the full picture: the information collected and compiled by the company, his role in case of a systems violation, for systems and infrastructure and an educated Incident Response Team in disposal, which will cooperate with the cyber insurance company to effectively manage the data breach limiting the financial impact and protect the reputation of the company.