Five Surprising Findings from Legal Insiders in Ireland
Last month, FTI Consulting’s cybersecurity team, data privacy and communications experts hosted a roundtable dinner of lawyers and senior leaders from across numerous industries in Ireland. The event served as a forum to discuss the most pressing challenges relating to data breaches and cyber attacks with the stakeholders who grapple with these risks every day.
The conversations covered familiar territory—general awareness that cybersecurity risks are rising, worries over being impacted by a large data breach or subjected to a ransomware attack and uncertainty about remaining compliant with an ever-changing patchwork of global privacy laws. Participants also revealed several unexpected trends regarding persistent challenges and how organisations in Ireland are dealing with their data risk. These included:
- Cyber insurance is increasingly elusive. Organisations are struggling to secure policies, justify the cost of their premiums to their board and/or understand the scope of their coverage. With this hardening of the cyber insurance market, more and more organisations recognise the important link between their cyber maturity and their ability to obtain cyber insurance or receive coverage in the event of an attack.
- Despite widespread, board-level awareness, cross-functional collaboration across data breach readiness and strategic communications continues to fall short. The discussion made clear that there is more work to do in bringing legal, privacy, security, business leaders, operational staff, marketing and external advisors together to ensure alignment on preparedness, crisis communications and incident response strategies.
- Stress testing for incident response and crisis communications is not at the level it needs to be for meaningful data breach preparedness. While most organisations do have privacy policies and incident response plans in place, practice for executing these in the event of an actual breach is often insufficient. Participants discussed the importance of borrowing lessons learned from wider emergency responses to guide worst-case scenarios and communication planning for breach events. The important role communications strategies play in preserving reputational integrity and mitigating media scrutiny was also widely discussed.
- Data debt is still accumulating. Organisations and their legal departments have not fully come to grips with the true price of retaining too much data. The prevailing belief continues to be that data should be saved because it holds value—but the cost and risk tradeoffs of this approach are not always considered. A full assessment of the cost-benefit of long-term data retention is required.
- Incident recovery is often treated as an afterthought. Recovery can be a highly intensive and costly effort, and backups are not always enough to enable business continuity in the aftermath after an incident. Organisations that rely on complex automated systems, such as those used in manufacturing or other industrial sectors, don’t always realise that they may be forced into manual operations in the wake of a cyber-attack or significant breach. Similarly, many organisations don’t recognise that incident recovery will likely also require extensive data analysis to understand what information may have been compromised and the related data privacy implications.
Cybersecurity risk, data privacy laws and data breach prevention are fluid issues. As threat actors continue to find new ways to exploit sensitive information and regulators continue to add layers to the data protection landscape, organisations will need to be equally nimble. Leaders must elevate their role in cybersecurity and privacy readiness from that of an ‘aware supporter’ to an ‘engaged participant’ that facilitates and upholds meaningful, ongoing cross-stakeholder action. Moreover, with the support of cybersecurity, privacy and crisis communications experts, practising and preparing for the worst-case scenario will be critical to staying ahead of anticipated and unforeseen threats.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.