The Information Commissioner's office has slapped a £120,000 fine on Greenwich uni after a security cock up by its maths and IT department compromised the data of almost 200,000 individuals.
It is reasonable to assume that the amounts incurred could have exceeded £120k; with fines being only one of the potential consequences of a data breach.
One way to mitigate costs and potentially avoid fines would be to engage vendors associated with cyber i.e. risk analysis tools, PR companies, cyber security firms etc
The Corax-Clyde study shows that incident resolution costs are 50% lower when engaging panel vendors over non-panel - something that is a huge factor to consider when taking out cyber insurance - other than the limit of indemnity what else matters; reputation? balance sheet? What more does your insurance policy offer you?
Some key findings from the 2018 Corax-Clyde Cyber Breach Insights Study:
- It takes 3 years to resolve an incident from discovery of the breach. After 3 years, insurers are no longer receiving invoices to settle.
- 38% of the breach events had a zero record count meaning no personal records were impacted.
- Forensics costs were the most expensive types of costs, and these were not driven by record count.
- Leisure/Retail/Hospitality, Financial Services, and Professional Services had very similar numbers of events.
- Data breach events involving unauthorized access or manipulation (29%) were caused by internal and external parties.
- Event Costs: Mean: $444k Median: $18k Maximum: $21m – such a wide range of potential costs is typically a driver to purchase insurance.
The incident occurred after an academic and a student from the then devolved department developed a microsite to facilitate a training conference in 2004. The microsite, which was not closed down or secured post event, was first compromised in 2013 and then hit by multiple attackers in 2016 who exploited the vulnerability to access other areas of the web server. The personal data included the contact information of 19,500 people such as students, staff and alumni – comprising names, addresses and telephone numbers. Around 3,500 records involved sensitive data such as details of learning difficulties and staff sickness records, which were subsequently posted online.