2017 has been a very dangerous year to be online for business given the increasing threat cyber criminals have developed. Phishing and ransomware have increased and have even lead to global cyber security data breaches. In the United States the largest data breach this year happened to Equifax in July and was reported on in September. The breach compromised the lives of more than 145 million Americans. While the average cost of a data breach is around 3.6 million the Equifax data breach may raise that number now thanks to increasing anxiety over cyber security.
Breakdown of Costs
The breach has had a cost to Equifax of $87.5 million dollars so far. In Equifax’s third quarter filing the company details how the cyber security incident has impacted them. In the third quarter Equifax has detailed product costs ($55.5 million), professional fees ($17.1 million), and consumer support ($14.9 million), which have lead to the total of $87.5 million. $27.3 million was spent in investigation, remediation, legal services, and professional services to get control over the situation. Equifax has also estimated that by the January 31, 2018 deadline they will have additional costs of providing credit monitoring ranging from $56 million to $110 million.
As a result of the data breach Equifax has entered into various agreements with many firms including IBM and Tata Consultancy Services. These agreements are outsourcing agreements for data processing operations, app development, continuity services and recover services. Equifax expects that they will have to meet new compliance measures as a result of this data breach, which they expect will carry a heavy cost as well.
What About Insurance Coverage?
Many business fall under the false comfort that by simply having insurance the costs associated with a data breach will be covered. Even for large institutions such as Equifax this is not the case. Equifax has an insurance coverage that comes with a $7.5 million deductible, however despite that, this incident has shaken the confidence of Equifax if they will be covered. As they state in their report:
“As of September 30, 2017, the Company [Equifax] has not recorded a receivable for costs the Company has incurred to date as we have not yet concluded that the costs are reimbursable and probable of recovery under our insurance coverage.”
This means even with an insurance policy you may still come out liable for the total costs of the data breach. The safest thing to do is take a serious and proactive approach towards cyber security to avoid the severe costs altogether. In economics, this is a nuance labeled moral hazard under the market failure called information asymmetry. When a company takes out an insurance policy for cyber security they may engage in riskier behavior because the costs of a cyber security incident may not impact them. Due to the fact that business leaders and managers do not fully understand the severity of cyber threats and what insurance actually covers moral hazards continue to flourish. Insurance is no guarantee that your business will be covered.
Proactive Cyber Security
Instead of assuming you will not be impacted or that insurance will have your back when a cyber threat comes your way, it is smartest and most cost effective to just be proactive. In the context of cyber security this doesn’t mean simply getting a firewall and keeping all the bad guys out of your network, instead you want to get some measure of control over insider threats. You can do using a few methods and some newer technology solutions.
One of the first things to be sure you’re reviewing is your permissions and access controls. By managing who has access to what files you’re able to prevent unauthorized access even if a user has their credentials hijacked. This may not have been the case for Equifax’s breach, it can be the cause of yours, especially if a cyber criminal phished credentials from one of your employees.
Patches & Updates
While it may seem obvious that you should always keep your software up to date, this advice often falls on deaf ears. One of the causes of the data breach for Equifax was a known Apache Struts vulnerability that should have been patched months before the data breach. Keep your software, architecture, and systems up to date.
User Behavioral Analytics
Insider threats are a constant worry among organizations. What if an employee leaks data out of protest or decides to sabotage the organization on their last day on the job? There is a way to detect when this is going to happen. With user behavioral analytics you’re able to establish a baseline behavior for both your network and each individual user. From that baseline behavior you’re able to detect and be alerted from deviations from the norm. This can be useful for early detection of malicious intent.
Equifax’s data breach has cost them plenty but due to their size and too big to fail role in the US economy, that cost has barely put a dent in their operations. However had this been many other organizations, a breach of this magnitude would have been certain doom. If you want to avoid such a fate your best bet is to be proactive. In cases like this even insurance won’t save you.
Another Equifax Breach? New Concerns of Second Leak Have Equifax Reeling Again
After Equifax: How Private Institutions Can Restore Public Trust
Equifax Data Breach: Who to Trust and What to Do Now