For many months now, the General Data Protection Regulation (GDPR) has graced media headlines, and with just 12 months until businesses are required to comply, SMEs need to be thinking ahead. Although it may seem like another addition to the list of responsibilities for the business owner, this is an important one to take note of.
In our recent research, we found that only nine per cent of SMEs are concerned about regulatory fines and penalties as a result of cybercrime. However, with the prospect of hefty fines and mandatory breach notifications looming, we can expect to see this shoot up the agenda when the regulations hit next year.
The challenges of a short notification window
When GDPR comes into force in 2018, businesses will not only face a rise in fines if they experience a breach, but they will also be required to notify customers that a cyber incident has taken place. In addition, they will only have 72 hours to analyse the potential damage before making this public declaration.
This short window to notify is the real crux of the issue. More than half (56 per cent) of the SMEs that we recently surveyed told us that they did not have an incident response plan in place should they experience a cyber-attack. The problem here is that, without a plan in place already, three days is actually an incredibly short amount of time to employ the necessary parties following an incident.
In most cases, not only will forensic investigators need to be working around the clock to determine the extent of the issue, but lawyers and public relations firms will be necessary to figure out how to most effectively communicate this to customers. In short, what is already a headache will become even more pressurised, and small businesses that are already short on resources will be in serious trouble.
This may bring about some unintended consequences. As SMEs scramble to work out the potential damage and how to tell customers, they may opt, disconcertingly, to do what they can to cover up the problem and not notify at all. Take, for example, ransomware and targeted extortion attacks, which accounted for nearly a fifth of our cyber claims last year.
Faced with the prospect of either frantically panicking in order to comply with GDPR, or simply paying an extortion demand and hoping that the problem ends there, some businesses may elect to do the latter. In the long run, criminals might leverage these situations with inflated ransom demands and more targeted attacks.
The 72-hour constraint could also result in ‘over-notification’, particularly for SMEs who often depend on their reputation to drive custom. Although TalkTalk is by no means a small business, its 2016 hack is an example of this when it rushed to notify four million individuals when in fact only about 150,000 people were affected, resulting in more disgruntled customers than was really necessary.
Customers are the lifeblood for any SME so they need to think carefully about how they handle breaches in a constrained time frame so that they don’t cause further damage to relationships.
Prioritising a cyber strategy
Not having a cyber incident response plan in place that clearly outlines roles and responsibilities in the event of a cyber-attack simply can’t be the case in a post-GDPR world. SMEs cannot find themselves in a position whereby they need to choose between a hefty fine, reputational damage, or failure to notify in the prescribed time frame, and illegally not disclosing the incident at all.
This is where cyber insurance can really help. A good cyber insurance provider will have instant access to specialist providers who can help manage the incident, including forensic investigators where necessary, specialist PR firms, IT specialists and legal experts.
Importantly, cyber insurance not only pays for the necessary costs, but helps businesses handle and resolve incidents quickly and effectively to minimise their impact.
SMEs currently say that their second biggest concern to their business is cybercrime (19 per cent). However, only a fifth of SMEs actually buy cyber insurance. With costs of fines set to increase, and the obligation to notify in a reduced time frame soon to become a reality, SMEs need to think carefully about their cyber defence strategy or risk being vulnerable should a cyber incident occur.
Graeme Newman is chief innovation officer of CFC Underwriting.