Organisations that store personal and sensitive data possess millions of data artifacts—each representing unique risk and value—within their enterprise systems. With cybersecurity incidents on the rise, the stakes around data protection have become higher than ever before, yet many organisations still do not realise the extent of disruption that can result when systems are breached.
Meanwhile, according to the latest figures from FTI Consulting’s Resilience Barometer®, 36% of businesses in the UAE have experienced a loss of customer/patient data in the last year, alongside 32% in Saudi Arabia.
The effects of such an event are far-reaching for businesses, industries, and consumers. Organisations that suffer a data breach are likely to see drops in share prices, deal with costs for remediation and investigation, face regulatory fines or class action lawsuits, incur substantial legal fees, and experience long-term reputational damage or permanent loss of customers. IBM estimates the average cost of a data breach at US$4.24 million, or US$150 per breached record, the highest average total cost in the history of this report.
In Saudi Arabia and the UAE, breaches cost companies even more, with US$188 per lost or stolen record on average, which represents an increase of 8.5% from 2019, while the cost of a data breaches in these two countries has risen by 9.4% over the past year (IBM). These figures may not include additional costs in the fallout of an incident, such as offering customers impacted free identity protection and monitoring services, or paying ransoms in the case of a ransomware attack.
Beyond the financial impact, a data breach or cybersecurity incident also opens the door to significant legal and regulatory scrutiny, investigation, and penalty. Even if a breach occurs in a jurisdiction that lacks a sweeping federal data protection law (such as the U.S., the UAE, or Saudi Arabia), there are typically sector-specific data regulations and protections that organisations must follow. Further, laws including GDPR, the California Consumer Privacy Act, and Virginia’s Consumer Data Protection Act provide individual data subjects with the right to pursue legal recourse against any organisation responsible for a breach of their personal data or for lack of adequate cybersecurity controls.
These impacts should be considered in the context of an evolving cybersecurity threat landscape. In FTI Consulting’s Resilience Barometer®, 85% of respondents in the UAE and Saudi Arabia were impacted by a cyber attack in the last year. Despite growing awareness, 63% do not fully understand their third-party cybersecurity risks and 60% are either not addressing cybersecurity, lacking awareness of how their organization is handling it or are responding to the risks reactively.
These figures and recent high-profile data breaches are relevant to organisations in the Middle East. They serve as a reminder for the damage that can be wrought and set the stage for how breach events may be handled by local authorities. Members of the Gulf Cooperation Council (GCC) have robust laws covering data protection broadly and for specific industries, which are in some cases are more extensive than U.S. laws. For example, organisations in the telecom industry—which recent events have demonstrated as a prime target for cyber attacks, and should be considered of particular interest to cyber attackers due to the sheer size of mobile and telecom operators in the Middle East—are governed by the UAE Telecoms Law, Saudi Arabia’s Anti-Cyber Crime Law and Telecoms Law, Bahrain’s Personal Data Protection Law (PDPL) and Qatar’s Personal Data Privacy Protection Law, among others.
Minimizing the Damage
Understanding the damage resulting from a data breach or cybersecurity incident, and the significance of recent developments to organizations operating in the Middle East, will allow teams in the region to effectively prepare and respond. Building a robust cybersecurity posture will help prevent breaches and better position organizations to respond. This includes implementing a comprehensive and rehearsed incident response plan ahead of time and developing the readiness to activate it as soon as a breach is discovered. Incident response plans should include enterprise-wide involvement from legal counsel, IT security, HR and communications teams. Additionally, a trusted third-party advisor capable of providing guidance and expert support for cybersecurity response, digital forensic investigation, crisis communications and remediation should be incorporated.
The following critical workstreams should be included in a breach response:
- Appoint external legal counsel, depending on the jurisdiction, so investigations are protected, to the extent possible, by the concept of legal privilege.
- Establish whether a breach or cybersecurity incident happened. This may seem like common sense, but in the event of a possible breach, it can cause employees to jump to conclusions due to the high-stress situation. The first step is confirming whether a breach or cybersecurity incident actually occurred.
- Determine whether cyber attackers still have access to systems, and if so, remove them and secure gaps as soon as possible.
- Identify what data has been compromised and the extent of exposure for data subjects. This will inform whether reporting is necessary and if so, the requirements under which notifications must be issued.
- Consider building an “out of band” communications solution for the organization’s incident response team to ensure communication between key stakeholders in the event that the incident has disrupted internal communications channels.
- Prioritise looking after data subjects (i.e., any individual whose personal data is collected and stored by an organisation)—communicate with them, tell them what is going on, and give them tools to help reduce any personal risk resulting from the breach.
- Notify the relevant regulators and data subjects according to law, and issue appropriate public statements that support transparency and help inform an accurate narrative. It is imperative that the company subject to the breach makes the announcement and controls the story and narrative – if the world finds out from third parties, it appears as though the company is trying to hide something.
- Collaborate across all pertinent stakeholders to mitigate the effects of the breach.
- Create operational workarounds, where possible, so that organisations can continue to serve customers and clients to the best of its ability.
- Do everything within reasonable power to secure systems, contain the threat and stop the dissemination of breached data to other parties.
- Prepare to assess the incident post breach, including impact on your reputation.
- Document lessons learned and analyse what went wrong to implement fixes that will strengthen defences against future exposure. Engage with senior stakeholders and create a plan and narrative for recovery.
A data breach or cybersecurity incident can happen to any organization at any time. For most, it is a matter of when, not if. This is why a detailed and practiced incident response plan, designed to evolve as the cybersecurity risks and organization evolves, is just as critical as strong defences. Business leaders must prioritise the implementation and ongoing refinement of a strong data privacy and protection program that helps proactively reduce risks as well as prepares their organization for worst-case scenarios.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.