The news that the Dixons Carphone Warehpuse group suffered a data breach involving almost 6 million accounts highlights the huge risks in the growing cyber insurance sector.
Although Dixons-Carphone (DC) say that no fraud has taken place, the Guardian reports today that some 105,000 cards from outside the EU were compromised, and again DCO has stated that no fraud has taken place.
Nevertheless DC shares dropped about 5% and the company may find itself liable for a hefty fine, even though the problems occurred prior to the 25th May 2018 GDPR deadline. The fact is every big company stands to lose a substantial amount in time and money after a significant data hacking incident, with a possible percentage fine levied by the EU, on top of all the internal admin costs, plus potential customer compensation. All that could run into millions for global corporations.
For those reasons, the insurers active in the cyber cover market need to check that each client has rigorous systems for checking fraud, hacking, password vulnerability, internal problems such as fake invoicing and staff embezzlement, plus staff stealing, downloading or selling data, prior to them leaving the company.
What does the industry think about the Dixons Carphone data breach? David Legassick, Head of Cyber at CNA Hardy commented:
“This is a clear example of plan beats no plan. Cyber threat is a boardroom risk. In our view, if the boardroom takes it seriously, then it becomes embedded within the culture. If the leadership are all on the same page, then Legal, HR, IT, Management and all business units are also on the same page with them and the organisation is much better enabled to withstand an attack.
Events like this underscore how important it is we never stop learning – making sure the company can capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defence stronger.”
BEAZLEY INTERNATIONAL RESPONSE
Raf Sanchez Beazley International Data Breach Manager also commented:
“This breach is the first significant incident under the new GDPR regime and it will be interesting to see how the UK’s privacy regulator, the Information Commissioner ICO), reacts. The ICO has previously fined organisations that have demonstrated serious failings with respect to breaches in the past with Yahoo being fined £250,000 over a breach involving 500,000 UK customers and TalkTalk having been hit with a £400,000 fine after 150,000 customers’ details were accessed.
Less than a third of businesses have a formal policy on how they will address cyber security risks and many are unprepared for the complexities of the new mandatory breach reporting regime under GDPR. This breach and the speed with which management have moved to contain it and to communicate their efforts not just to regulators but also to the public shows just how important it is to be prepared. It is almost impossible to prevent breaches but if organisations want to survive these events they have to have a strategy to react and manage these incidents.”