Organisations that store personal and sensitive data possess millions of data artifacts—each representing unique risk and value—within their enterprise systems. With cybersecurity incidents on the rise, the stakes around data protection have become higher than ever before, yet many organisations still do not realise the extent of disruption that can result when systems are breached.
Meanwhile, according to the latest figures from FTI Consulting’s Resilience Barometer®, 36% of businesses in the UAE have experienced a loss of customer/patient data in the last year, alongside 32% in Saudi Arabia.
The effects of such an event are far-reaching for businesses, industries, and consumers. Organisations that suffer a data breach are likely to see drops in share prices, deal with costs for remediation and investigation, face regulatory fines or class action lawsuits, incur substantial legal fees, and experience long-term reputational damage or permanent loss of customers. IBM estimates the average cost of a data breach at US$4.24 million, or US$150 per breached record, the highest average total cost in the history of this report.
In Saudi Arabia and the UAE, breaches cost companies even more, with US$188 per lost or stolen record on average, which represents an increase of 8.5% from 2019, while the cost of a data breaches in these two countries has risen by 9.4% over the past year (IBM). These figures may not include additional costs in the fallout of an incident, such as offering customers impacted free identity protection and monitoring services, or paying ransoms in the case of a ransomware attack.
Beyond the financial impact, a data breach or cybersecurity incident also opens the door to significant legal and regulatory scrutiny, investigation, and penalty. Even if a breach occurs in a jurisdiction that lacks a sweeping federal data protection law (such as the U.S., the UAE, or Saudi Arabia), there are typically sector-specific data regulations and protections that organisations must follow. Further, laws including GDPR, the California Consumer Privacy Act, and Virginia’s Consumer Data Protection Act provide individual data subjects with the right to pursue legal recourse against any organisation responsible for a breach of their personal data or for lack of adequate cybersecurity controls.
These impacts should be considered in the context of an evolving cybersecurity threat landscape. In FTI Consulting’s Resilience Barometer®, 85% of respondents in the UAE and Saudi Arabia were impacted by a cyber attack in the last year. Despite growing awareness, 63% do not fully understand their third-party cybersecurity risks and 60% are either not addressing cybersecurity, lacking awareness of how their organization is handling it or are responding to the risks reactively.
These figures and recent high-profile data breaches are relevant to organisations in the Middle East. They serve as a reminder for the damage that can be wrought and set the stage for how breach events may be handled by local authorities. Members of the Gulf Cooperation Council (GCC) have robust laws covering data protection broadly and for specific industries, which are in some cases are more extensive than U.S. laws. For example, organisations in the telecom industry—which recent events have demonstrated as a prime target for cyber attacks, and should be considered of particular interest to cyber attackers due to the sheer size of mobile and telecom operators in the Middle East—are governed by the UAE Telecoms Law, Saudi Arabia’s Anti-Cyber Crime Law and Telecoms Law, Bahrain’s Personal Data Protection Law (PDPL) and Qatar’s Personal Data Privacy Protection Law, among others.
Understanding the damage resulting from a data breach or cybersecurity incident, and the significance of recent developments to organizations operating in the Middle East, will allow teams in the region to effectively prepare and respond. Building a robust cybersecurity posture will help prevent breaches and better position organizations to respond. This includes implementing a comprehensive and rehearsed incident response plan ahead of time and developing the readiness to activate it as soon as a breach is discovered. Incident response plans should include enterprise-wide involvement from legal counsel, IT security, HR and communications teams. Additionally, a trusted third-party advisor capable of providing guidance and expert support for cybersecurity response, digital forensic investigation, crisis communications and remediation should be incorporated.
The following critical workstreams should be included in a breach response:
A data breach or cybersecurity incident can happen to any organization at any time. For most, it is a matter of when, not if. This is why a detailed and practiced incident response plan, designed to evolve as the cybersecurity risks and organization evolves, is just as critical as strong defences. Business leaders must prioritise the implementation and ongoing refinement of a strong data privacy and protection program that helps proactively reduce risks as well as prepares their organization for worst-case scenarios.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Senior Director, FTI Technology
Managing Director, FTI Cybersecurity
Managing Director, FTI Strategic Communications