Posted In: Cybersecurity & Data Privacy
Corporate TIPS: UPDATE - Cyberattacks Are The Number One Risk to Businesses
By Craig S. Horbus & Jarman J. Smith on October 1, 2021
October 1, 2021 Update: The original content of this blog was published in Brouse McDowell’s Corporate TIPS blog “Cyberattacks are the Number One Risk to Businesses” on June 23, 2021.
Regardless of the size of the organization, cyberattacks and other cybersecurity incidents, such as data loss issues, are the largest threat to businesses around the world. A joint study by Willis Towers Watson PLC and Clyde & Co. LLP ranks cyberattacks as the top corporate risk, citing pandemic-induced changes to working environments as a main contributing factor to the increased prevalence of cybersecurity incidents.1 The joint study lists data loss as the second largest risk to businesses, which places cyberattacks and data loss issues ahead of other significant corporate risks such as regulatory risks, health and safety prosecutions, and the risks of employment claims.
Cybersecurity Incidents Ranked Top Corporate Risks
Online attacks and data loss have been listed in the top three risks of Willis Towers Watson’s annual survey on director’s liability since 2016; however, 2021 is the first year that fears of cyberattacks claimed the number one spot on the list. This rise to being the largest risk is due, at least in part, to the increase in cybercrime and the severe consequences for companies and their executives that fall victim to such attacks or mishandle consumer data. The COVID-19 pandemic has created the ideal landscape for cybercriminals seeking to exploit the weaknesses of organizations trying to adjust to new procedures and systems, including remote working arrangements. By the end of 2021, cyberattacks alone will cost organizations roughly $6 trillion.2 Additionally, the annual cost of data loss issues, or “data breaches,” rose to its highest average cost in 17 years, from $3.86 million to $4.24 million.3
The survey results of the Willis Towers Watson study demonstrate the need for businesses to secure their technology, networks, and data. Organizations of all sizes, and all industries, should be extremely cautious about the threat of cybercrime and exercise heightened levels of vigilance in today’s current climate which is centered around telecommuting and virtual engagements. Supervisory authorities around the world are closely monitoring compliance efforts concerning how businesses safeguard their computer systems and the private consumer information they hold. Businesses that ignore their legal compliance obligations to protect the consumer information they process and those that fail to implement appropriate privacy policies, procedures, and cybersecurity measures run the risk of being attacked by cybercriminals and incurring substantial financial losses that result from regulatory penalties, hefty privacy breach lawsuits, and costs to remediate cybersecurity incidents.
Ensure Privacy Compliance and Protect Your Organization from Cyberattacks
As companies navigate our new virtual-centric business landscape and become more committed to remote workforces, they must also find ways to address their increasing exposure to cyber risks. To mitigate cyber risks, organizations should consider the following tips for best privacy compliance practices:
- Consult with experienced professionals.
- Obtaining adequate advice from a trusted source is essential when creating and enforcing the cybersecurity policies and procedures that are needed for compliance with privacy regulations. Professionals with knowledge of privacy regulations can provide the guidance your organization needs to establish proper cybersecurity practices and procedures.
- Adopt an incident response plan and internal data security policy.
- Every organization needs an incident response plan in place to prepare for and effectively respond to cyberattacks. Your organization should also develop an internal data security policy that works in conjunction with the incident response plan to educate your employees on proper data handling procedures and to communicate your organization’s cybersecurity policies and practices.
- Have appropriate data processing agreements in place with your third-party vendors, partners and clients.
- A data processing agreement (or “DPA”) is a binding agreement between your organization as a data controller and third-party organizations that may process your data on your behalf. These agreements will help your organization tie up any loose ends concerning your data privacy compliance efforts, and indemnification obligations among the parties.
- Develop a remote work policy and use telecommuting agreements for remote employees.
- Employees are often targeted by cybercriminals, and networks with remote work capabilities have increased exposure to cyberattacks. Adopting a remote work policy and using well-written telecommuting agreements with your employees will protect against these risks and provide for proper cybersecurity safeguards.
All organizations must quickly adapt to changes in the cybersecurity industry. Ensuring compliance with applicable privacy regulations can help your organization defend against cyberattacks and reduce the risks of cybersecurity incidents.
How Brouse Can Help
Brouse McDowell’s Cybersecurity and Data Privacy team can provide proactive solutions for companies to defend against cyberattacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.