Data Breach Risk Management – The Cost of Doing Nothing

By Michael Greco of FUSE3 and Matt Oldham of Omnistruct

Why should addressing cybersecurity compliance be a budgetary priority? Can a business get by doing the minimum needed and wait to invest more into their security posture later? Implementing a cybersecurity framework is about data breach risk management. Investing in cybersecurity compliance is similar to purchasing insurance. Either is an investment because the risk of doing nothing is too high. With the prevalence of data breaches today, getting hacked is not acceptable or tolerable for the viability of your organization.

So what will happen if you do nothing? There are three critical consequences that your business must consider:

  1. There is an immediate impact. You risk losing existing and potential customers requiring specific security standards to be met.
  2. There are industry-specific ramifications. Different industries have specific compliance requirements and direct consequences for non-compliance or negligence.
  3. Suppose you experience a data breach. In that case, you will suffer higher penalties and fines, recovery from an incident will directly impact your business, and there will be ramifications on your Cyber Liability Insurance policy.

Let’s explore each of these consequences in more depth.

The Immediate Impact of Doing Nothing

There is a growing trend of customers requiring their vendors to meet specific security standards to do business with them. It is all about reducing data breach risk. This will eventually trickle down to your organization. For more information on security questionnaires, see our previous blog article.

If you’re not already, you will likely have key existing customers sending you security questionnaires asking for proof of your security standing. If you take the “do nothing” approach, you will be faced with the challenge of honestly filling these out and putting those accounts at risk. We expect the security questionnaire trend to continue to grow, and it will directly impact your sales into new target accounts and industries.

The bottom line is you want to be a vendor your customers and potential customers can trust. You must be able to prove that doing business with your organization will not increase their risk.

Industry-Specific Ramifications of Data Breaches

There are time-tested cybersecurity frameworks that have already been developed to regulate what security measures should be taken to protect different types of data. Choosing to disregard the industry-specific requirements will cause ramifications.

PCI

If you process credit card transactions and store the credit card data, there are specific security requirements that you must comply with. These are prescribed by the Payment Card Industry (PCI). If you do not, there are fines from payment processors. In addition, the payment processors may impose short or long-term restrictions such as the termination of processing credit card transactions from major companies such as VISA, Mastercard, or American Express.

HIPAA

Suppose you are considered a “Covered Entity” or “Business Associate” under HIPAA. In that case, you are subject to fines if your organization is found to be in violation of the HIPAA Privacy, Security, or Breach Notification Rules. The fines (or penalties) are based on the amount of care or negligence an organization has displayed. 

For example:

  • If your organization displays due diligence regarding security and privacy, the minimum penalty amount could be as low as $120 per violation.
  • On the other hand, if your organization displayed “willful negligence” and does not correct the violation within 30 days, the minimum penalty amount could be as high as $60,226 per violation.

Government Data

If you are required to follow certain security standards due to contracts with federal agencies and are non-compliant (essentially doing nothing and hoping for the best), here are some of the consequences your organization may face:

  • Stripped of federal funding
  • Barred from receiving future federal contracts
  • Required to testify in Washington D.C.

It’s Not a Matter of If, But When

Unfortunately, the likelihood of getting attacked and experiencing a compromise is high. You have to consider a potential data breach’s financial implications and costs. 

Based on IBM Security’s 2021 Cost of a Data Breach Report, the global average cost of a beach is $4.24 million. This average goes up if you look solely at U.S. companies, as the costs related to a data breach are higher in the U.S. The average considers several impact factors, including, but not limited to, fines and penalties, cost of investigation and recovery, and lost business/impact on reputation.

The report found that 38% of these total costs were due to lost business. Data breaches can seriously impact your reputation and ability to continue business resulting in higher customer turnover or more difficulty in gaining new business. In contrast, the impact on your downtime is lessened if your organization has a more comprehensive approach to security and is prepared for a breach. The damage to your reputation is also significantly diminished if your business performs its due diligence regarding security compliance.

Organizations that had a more comprehensive and proactive approach to security when breached saw dramatic decreases in the average cost of the breach. For example, organizations that had documented and regularly tested incident response plans saw a reduction of $2.46 million in the average cost of a breach compared to organizations that did not have those in place.

Cost Factor Considerations

It costs more to improve your organization’s security after a breach than before. If your organization experiences a breach, you will have a list of corrective actions to address. The level of risk and urgency is thus higher, and the cost of remediation will likely increase. Like car insurance, your policy is more expensive after committing multiple traffic violations or causing an accident.

Your Cyber Liability Insurance policy may also be impacted. You must fill out a questionnaire attesting that your organization has certain specified security measures in place when you apply. Suppose you experience a breach and can’t prove to your cyber insurance company that your organization was actively enforcing those security measures. In that case, you are at risk of having your claim denied.

In addition, there are fines related to state privacy laws. Several new state privacy laws aggressively seek to protect consumer data. If your organization is subject to these laws and experiences a data breach, you may face significant fines.

In California, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you will be fined $2,500 per record for an unintentional violation and up to $7,500 per record if the violation is caused by negligence. If you experience a data breach and thousands of individual consumer records are exposed…well, you can do the math.

Many other states are considering or enacting legislation that will allow for a legal “safe harbor” for organizations that have implemented certain security frameworks such as the NIST PF (Privacy Framework) and NIST CSF (Cybersecurity Framework). This legislation would reduce the penalties related to a data breach for security-compliant organizations.

Do Your Due Diligence Now

Doing your due diligence now to improve your organization’s security posture and adopting a security framework will decrease the chances of a breach and reduce the financial risk if a breach occurs. Essentially “doing nothing” or delaying security improvement is not a feasible business strategy. 

We recommend a risk management approach to cybersecurity. It starts with understanding your cyber risks (assessment) and building a security program based on established cybersecurity standards allowing you to track your progress in addressing risks and prove your compliance.

Get started today by teaming up with FUSE3 and Omnistruct. Together, we will focus on your cybersecurity posture, assessing your risks, and implementing the right cybersecurity framework for your business.

About Matt Oldham

Matt is the Senior Sales Engineer at Omnistruct. With over six years of experience in the cybersecurity and compliance industry, he is the touchpoint between the sales and operations teams, ensuring that the proposed services are the right fit for the client. Matt is also a musician and enjoys cooking as a hobby. He spent over ten years living in the Pacific Northwest before returning to his native stomping grounds in the Sacramento area. Learn more about Omnistruct’s Services.

Leave a Comment

Your email address will not be published.