The Facebook/Cambridge Analytica scandal has brought renewed attention to concerns of data privacy and cybersecurity
It's long been said that almost every company today is susceptible to a data breach, but it’s a warning that has continued to go unheeded by many companies – until now, that is.
Last year was marked by cyberattack after cyberattack, as breaches at companies like AMP, Equifax and Uber grabbed headlines and unsettled business leaders. Then, just a few months into 2018, social media giant Facebook became embroiled in a complex data scandal, in which it was revealed that data firm Cambridge Analytica had harvested millions of Facebook users’ personal information for use in political campaigns.
The Facebook scandal has thrust the wider subject of data privacy into the mainstream once again. As a result, organisations and their leaders appear to be growing more aware of the value of the data they hold and the importance of keeping it safe. But how far do we still have to go?
Thanks to an increasing volume of media coverage, the impending arrival of stricter data protection laws in Europe, and IT and security professionals continuing to sound the alarm, business leaders are finally waking up to the realities of cybersecurity in the 21st century, says Mark McCreary, chief privacy officer at law firm Fox Rothschild and co-chair of the firm’s privacy and data security practice.
“It’s more widely in the press and part of the daily conversation,” he says. “That has an impact.”
The European Union’s sweeping new General Data Protection Regulation [GDPR] has been causing a stir beyond Europe, thanks to the introduction of hefty fines that apply to all companies that deal with EU nationals, whether they’re based in the EU or not.
“Whether you love it or hate it, it has really put this topic into the forefront of the conversation,” McCreary says.
Add to that the Facebook/Cambridge Analytica scandal, and the data issue is everywhere. “Think of the number of stories that produced,” McCreary says. “People may not actually be deleting their Facebook accounts, but they are really starting to pay a lot more attention – and they’re realising that data breaches don’t all look the same.”
But does greater awareness come with greater take-up of cyber insurance policies? A recent survey by Fox Rothschild found that an impressive 70% of respondents had cyber liability insurance in place. However, while coverage was common among respondents, the survey found that executives lack a solid grasp of the policies’ limitations, and just 21% had filed a claim.
When it comes to businesses at the smaller end of the scale, figures indicate that both take-up and awareness are far lower. An Insureon poll found that 74% of small businesses don’t have cyber liability insurance, despite the fact that nearly one in six have experienced a data breach.
“Many businesses don’t believe that they have any kind of information available that would be interesting to a hacker, when in fact, whether it’s customer data, credit card information or purchasing behaviour, they probably hold information that would be interesting,” says Je Somers, president of Insureon, which specialises in small business cover.
While some argue that business leaders need to do more to improve their understanding of the cyber risks they face, McCreary believes the onus is on brokers to better understand policies.
“I think there’s no question that company heads don’t have any idea what they need, and I don’t expect them to, frankly,” he says.
“When it comes to cyber at the broker level, it truly is a specialty. It’s something that you have to really understand in terms of how the policies are different and how the claims made are different.”
For companies that have the resources, McCreary says it’s about education and dollars: bringing in dedicated cybersecurity personnel and making sure that enough money is being allocated to the cybersecurity budget.
For smaller companies, Somers says it’s up to brokers to get the message out there.
“I think there’s a lot of education and awareness-building that we need to do as a community to help small business owners understand that this is a risk ... and a part of doing business in our day and age,” he says. “In many cases, it’s not a question of if, but when, a cyberattack will occur. That’s the kind of message we need to be delivering to the small-business community.”