by Giulio Coraggio, Ludovica Mosci and Tommaso Fia
Cybersecurity represents a major risk for companies that will need to change their approach on security in 2019, also in relation to M&A transactions, and corrective actions might include a cyber risk insurance coverage according to our predictions.
According to a report published by Accenture, the average cost of cybercrime per organization in 2017 increased to $ 11.7 million, with countries like the US reaching $ 21.22 million. Such a cost was also considerable in Italy where it reached $ 6.73 million.
No data are available yet for 2018, but costs are expected to increase in the coming months since businesses will have to address at least three important cybersecurity challenges in 2019. First, there will be considerably more room for cybercriminals to prepare their attacks, due to the increase in digitalization and automation of systems and tools used within the organizations. Secondly, criminals will not sit back and will look for new targets amongst the companies, including small and medium enterprises (SMEs). Lastly, most companies hardly tackle cyber-related issues because the associated risks are generally underestimated and not taken into due consideration.
Below are our top 3 predictions for 2019 on cybersecurity.
1. Cybersecurity will require a commitment from the whole organization
Human errors are increasingly becoming the main source of cyber-attacks. A number of organizations does not have a culture around cybersecurity and their employees do not have an adequate level of awareness about the potential risk and disruption that it might cause to their business. At the same time, cybersecurity is often relegated to a technical issue that is not discussed or reviewed with the HR and legal departments.
This scenario often ends up in a situation where IT departments push for measures that
- employees try to circumvent or fight against since they do not understand the relevance for their business; and
- might lead to legal issues as they could for instance cause a deep and unjustified monitoring of employees, while measures preventing the performance of some risky activities should be preferred to monitoring tools.
This is a quite frequent situation that we had the opportunity to appreciate as part of audits run on our clients in the rush towards ensuring compliance with the EU General Data Protection Regulation 2016/679 (GDPR). Based on our experience, the privacy and security by design approach, which is one of the backbones of the GDPR, is still far from happening in the majority of organizations. Moreover, policies and procedures often set just general principles which are aimed at allowing the business to keep their operational flexibility without any specific obligation and would represent a weak defense in case of investigations by competent authorities.
The situation has not changed, unfortunately, after the 25th of May 2018 since such date appeared to be just a milestone to be overcome, with privacy (including cybersecurity for its aspects relating to risks for personal data) that risks to no longer be a priority for businesses, to the point that some companies set a very low budget for their 2019 privacy compliance program under the assumption that everything was done in 2018 and the task is completed.
This is a misconception since privacy and cybersecurity compliance is a continuous work in progress. Indeed, if we look at data reported by the Italian data protection authority in September 2018, they received over 300 notifications of data breaches in just the first 4 months of application of the GDPR. Based on our experience, this means that at least 1,000 data breaches actually occurred, if we count those that are not even detected and those that are not notified since businesses either believed that no notification was required under the GDPR or reached the conclusion that a notification was required, being more concerned about the potential GDPR sanction following the notification than the risk deriving from the lack of notification.
An incentive for a change in the approach to privacy and cybersecurity compliance will be the further increase in the number of cyber-attacks that are expected in 2019 and the beginning of privacy audits by the European data protection authorities, following the “grace” period granted by some of them after the 25th of May 2018.
Hopefully organizations will not wait for the first data breach before changing their approach to cybersecurity and will put in place considerable technical and organizational investments to
- prevent potential misconducts and attacks; and
- be ready to react to a potential attack.
There is no business that can be 100% safe since hackers have historically always been ahead of their victims. Therefore, businesses need to be able to minimize negative effects.
In order to be able to assist our clients on their cybersecurity strategy, DLA Piper, created a cybersecurity team which includes not only privacy and data lawyers, but also litigation, employment, insurance and corporate professionals which developed a unique methodology in order to limit the risk of cyber-attack and promptly take actions in case of its occurrence, also through a hotline with lawyers that have been identified in each office in order to be able to timely assist our clients during an emergency.
2. Cyber risk will become a major issue in M&A transactions
Up until recently, cybersecurity was not even listed in the check-list of a potential due diligence, or just relegated to a single item in the data protection section of the check-list that was also often ignored since it was not deemed to be a source of major issues.
However, with some businesses that lost billions of dollars of market value or even disappeared due to cyber-attacks that were made public and led to major sanctions, considerable claims and unquantifiable reputational damages, the scenario is slowly changing.
We already noticed a dramatic change in the approach on cybersecurity in M&A transactions in the United States, but – also thanks to the GDPR – the issue is getting more relevance in Europe as well with lawyers that need to often discuss technical issues with the IT and legal departments of the target company that in some case might not be ready to tackle such issues.
And unfortunately, cyber incidents are often not even known to the company’s management. There is indeed a famous quote from John Chambers, the former executive chairman and CEO of Cisco Systems who declared in 2015 at the World Economic Forum that
“There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”.
This is definitely true and that’s why our cybersecurity predictions for 2019 are that a deep cybersecurity due diligence will become a major to-do in corporate transactions.
3. More cyber risk insurances on the horizon
DLA Piper and Aon published in May 2018 a guide named “The price of data security”, ahead of the GDPR. The guide reviewed the insurability of GDPR fines across Europe, which can reach up to € 20 million or, if higher, up to 4% of a group’s annual global turnover. It also looked at insurability of costs associated with GDPR non-compliance (e.g. litigation, investigation and compensation), as well as the insurability of non-GDPR regulatory fines. The main findings of the report are
- GDPR fines were found to be insurable in only two of the countries reviewed – Finland and Norway;
- In 20 out of 30 reviewed jurisdictions GDPR fines would generally not be regarded as insurable, including the UK, France, Italy and Spain;
- In 8 of the jurisdictions, it is unclear whether GDPR fines would be insurable. In these jurisdictions, specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered.
Whilst the insurability of GDPR fines may be limited, insurance forms a key component of an organisation’s risk management strategy to manage costs associated with GDPR non-compliance and resulting business disruption losses. Such costs could include legal fees and litigation, regulatory investigation, remediation and other costs associated with compensation and notification to impacted data subjects.
Indeed, GDPR costs are often covered by cyber risk insurance policies which are not aimed only at covering potential GDPR-related damages since a cyber-attack might cause for instance considerable operational as well as reputational damages, with companies unable to assist their clients for a period that can be hardly quantified in advance and with their market value considerably affected by such incidents.
The reason why the cyber risk insurance market has not sufficiently grown during the last years is in our view because of the lack of awareness around the relevance of the cyber risk and since in some cases companies believe that such coverage is already granted by their general insurance policy, while this is not often the case. Additionally, cyber risk insurance policies provide a number of value-added services, including the support of legal counsels, IT and forensics experts. For example DLA Piper provides a hotline as part of the services included in the cyber risk insurance policy offered by some of our insurance clients.
The cybersecurity predictions for 2019 are that it will definitely be a challenging year, but companies have tools to minimize potential risks. But cyber risk needs to be recognized as a priority for the business.