Friday, 6 February 2015
European firms lag U.S. on data breach response
European companies need to boost their data breach response to meet the rising cyber threat and the demands of growing regulation, according to a panel of experts taking part in a webinar hosted by ACE and Advisen last week. It is an issue that risk managers in Europe need to take more seriously, they said
Many European firms lag behind their US counterparts when it comes to preparing for a data breach, according to the webinar participants. Faced with much tougher data breach notification requirements, US companies are generally more experienced and effective in building their response capabilities, they said.
According to Vijay Rathour, Vice President at cyber risk management and investigation company Stroz Friedberg, US companies are much more experienced in preparing and planning for a data breach than those in Europe, where organisations still ‘learn as they go’.
Mr Rathour believes that companies will increasingly face more sophisticated and targeted cyber-attacks, which will require a more proportionate, consistent and effective response. “A planned and robust response will be critical,” said Mr Rathour, who has worked on some of the largest security breaches, including the 2013 data breach at US retailer Target in which some 70 million customer records were stolen.
He believes that companies, and senior executives in particular, need to better understand their cyber risk and identify potential adversaries in order to target their response efforts.
European companies could learn much from the response experience of US firms that prioritise cyber threats and consider where to spend their resources, creating a more proportionate and affordable response, he said.
Many European companies continue to see cyber risk as a predominantly US issue, reflecting tougher data breach and notification requirements in North America, said Sarah Stephens, Head of Cyber and Technology Practice at JLT. “In Europe, risk managers are turned off by cyber risk,” she said.
However, changes to EU data protection laws could raise the profile of data breach risk in Europe, according to the webinar participants. EU data protection legislation is currently in flux, but a proposed new EU directive will create a tougher regime in Europe, explained Susannah Wakefield, Partner at law firm Taylor Wessing.
Current EU legislation—unlike US rules—does not require companies to notify national data protection authorities or consumers of a data breach. However, a new proposed directive seeks to replace the current patchwork of national data protection rules with a pan-European law, bringing about tougher requirements and penalties for breaches.
“All eyes are now on EU regulation,” said Ms Wakefield. “Regulations are likely to be more onerous and sanctions for breaches more substantial,” she said.
Since reform of the data protection rules was launched in 2012, the proposed regime has been ‘hotly debated’, said Ms Wakefield. The latest version proposes mandatory reporting of a security breach to the relevant data protection authority, with sanctions, fines and penalties for breaches as high as 5% of global turnover.
Since 2012’s first draft of the directive, which was followed by intense lobbying, its ‘language’ has been softened, explained Ms Wakefield. For example, the first draft proposed that data breaches were reported within 24 hours, but that requirement has since been extended to 72 hours.
Costly reporting and notification requirements in the US have led to an explosion in demand for data breach insurance in recent years. However, in the absence of such rules in Europe, companies on this side of the Atlantic spend just a fraction of that spent by US companies on cyber insurance, according to Ms Stephens.
There is a much higher degree of scepticism around cyber insurance in Europe, said Ms Stephens. European companies question its efficacy, she said. Many firms believe they are already covered by traditional policies because cyber risk is not always explicitly excluded, she added.
In the absence of costlier data breach liabilities in Europe, cyber insurers will need to be more creative and innovative to spark buyer demand, according to the webinar participants. For example, insurers could provide property-based cyber insurance or develop policies to cover reputational damage associated with a breach, said Ms Stephens. Such products, which could take the form of policy buy-backs, could be a ‘first step’ for first-time cyber insurance buyers, she added.
“Just one year ago, insurers were not excited to do that but there has been a massive shift and many are now prepared to listen and work with clients,” she said.
One issue to consider when buying cyber insurance is the potential time delay between a cyber-attack and the response, said the experts. It can take companies many months, or even years, before they realise there has been a breach, in which time malicious software may have been operating on their systems.
Insurers and risk managers are concerned by the potential latency of cyber risk, especially for insurance coverage on a claims-made basis, according to Ms Stephens. When buying cover for the first time therefore, insureds should consider a retro inception date, although this can be problematic for some cyber underwriters, she said.
The timing of response to a data breach is pivotal in mitigation efforts, according to Mr Rathour. “Delaying a response, even by minutes, can have a serious impact,” he said.
“Quick, decisive responses can really help,” continued Mr Rathour. Cyber insurance that includes a response service can help companies get up and running much more quickly, he added.
Cyber insurance with a response element should mitigate reputational harm of a data breach, according to Ms Stephens. It can also help with potential loss of revenue, she added.
Some insurers will cover loss of revenue related to a data breach, such as a cancelled contract, said Ms Stephens. “While not a perfect solution it is encouraging that insurers are taking on clients’ needs,” she said.
Experience breeds better outcomes, according to Kyle Bryant, Regional Cyber Manager, Continental Europe at ACE Group. “Most cyber policies have a cyber-response element, and while many US companies now have relationships with response providers, European companies value the support a web of providers brings,” said Mr Bryant.
However, the biggest challenge in Europe is a lack of local vendors that can speak to non-IT people and management, said Mr Bryant. “You need people on the ground to improve your risk and response. In Europe, every country has its own personality, and that needs to be considered,” he said.