All posts by Michael Bruemmer

Review of Findings & Front-line Insights Panel Participants: Richard Goldberg (Moderator) – Constangy, Brooks, Smith & Prophete, LLP Michael Bruemmer – Experian Sean Renshw – RSM US, LLP Mark Greisiger – NetDiligence About NetDiligence Cyber Claims Study It is NetDiligence’s 13th year of doing this Cyber Claims Study. A total of 9,028 claims were analyzed during the past five years 2018-2022.An observation from the over 9,000 Cyber Claims (5000 of which are brand new claims this past year in 2023) analyzed is while many of the categories over the last five years have remained the same, the data has changed, sometimes dramatically. About Experian We provide call center coverage, notification coverage, as well as, identity theft protection, and all the consumer resolutions that go along with it for about 5000 data breaches every year, and I was delighted to be on the panel. Key Insights Experian has proudly sponsored the annual NetDiligence Cyber Claims Study for three years. During this time, I’ve witnessed companies adapt and transform their operations to confront the growing tide of cyber threats. The evolution of their infrastructure to anticipate and respond to these challenges has been remarkable and necessary. However, despite my front-row seat in this fast-changing landscape, the results of each study never fail to surprise and intrigue me. The insights from the latest study, conducted in 2023, continue to shape our understanding of the evolving cyber landscape. Ransomware’s Dominance Mark kicked off the discussion by shedding light on the escalating costs associated with cyber incidents. In 2022, the average incident cost for SME organizations remained stable at $169,000 (similar to the combined five-year window from 2018 to 2022 at about 175,000). However, there was a substantial increase for large companies, reaching $20.3 million in 2022 (and if you look at the five-year average, it was about 13 million). This surge raised eyebrows and set the stage for a deep dive into ransomware, a leading cause of concern. Examining Ransomware Trends The conversation swiftly shifted to ransomware, a pervasive threat in the cyber insurance landscape. As I stated, at Experian we see a correlation between the rise in ransomware and third-party breaches. Most of the industry experts on the panel participate in a Ransomware Advisory Group together. Mark brought up a good insight from our advisory group on the brazen tactics employed by threat actors lately, showcasing their intimate knowledge of the cyber insurance world. Business Sectors Under Siege Richard and Sean added to the discussion the top ten business sectors affected by ransomware, with professional services leading the pack. The impact on technology, with a payout of $830,000, stood out as well. Beyond Ransomware The conversation broadened to encompass other types of losses, such as social engineering and business email compromise. The focus on business interruption emerged as a key concern for cyber insurance claims, with the industry grappling with criminal acts versus non-criminal acts. Looking Ahead As the discussion unfolded, industry experts, including myself, expressed eagerness to anticipate the future cyber landscape. Predictions range from the industry mutating to the emergence of new players in the nation-state game. The role of artificial intelligence and innovative solutions from new vendors becomes a focal point of interest. In conclusion, the NetDiligence Cyber Claims Study 2023 Report paints a vivid picture of the challenges and transformations within the cyber insurance domain. The increasing sophistication of threat actors, coupled with evolving business strategies, sets the stage for continuous adaptation and innovation in the fight against cyber threats. As we look ahead, the resilience of businesses and the collaboration between industry stakeholders will play a pivotal role in shaping the cybersecurity landscape. I invite you to access the report and view the discussion replay for a deeper understanding of the challenges and transformations within the cyber insurance claims domain. Get NetDiligece Cyber Claims Study resources on-demand now! Download the report Watch the webinar NetDiligence’s latest Cyber Claims Study and Webinar, sponsored by Experian Data Breach, is available on-demand. This report serves as a resounding call to action, prompting businesses to ready themselves against cyber threats. Dive in to get insights and stay one step ahead of cyber adversaries.

Insights from the Cyber Risk Summit Beverly Hills – October 2023 Authored by Ryan Coyne I recently participated in a panel with industry experts, delving into third-party cyber risks. The panel shed light on best practices, challenges, and strategies to mitigate the impact of third-party incidents. Panel Participants: Stu Panensky (Moderator) – FisherBroyles, LLP Ryan Coyne – Experian Tom Egglestone – Resilience Mark Grazman – Fenix24  Matthew Saidel – FTI Consulting Agenda: Incident Best Practices: Collaboration & Coordination on IR Action Items Upstream Risk of Third Parties: Vendors, Suppliers & Business Partners Downstream Risk in the Policyholder Supply Chain The Cyber Risk Summit held in Beverly Hills provided valuable insights into the risks of engaging unsecured third parties. Key Takeaways Understanding the Significance Tom emphasized the longstanding nature of cyber risk exposure tied to third-party relationships. The increasing reliance on external vendors in a tech-enabled world has heightened this risk, especially with the surge in outsourcing and software adoption. Tom highlighted that, even in 2019, Gartner research indicated that 60% of surveyed companies worked with over 1000 third parties in their supply chain, setting the stage for the escalated risk environment post-pandemic. Crisis Communications in Third-Party Incidents Matt shared insights into the challenges faced when third-party incidents unfold. The necessity of involving crisis communications consultants early in the process, especially for upstream and downstream, was stressed. Preserving the right to operate and maintaining client trust amid incidents were key points Matt made.Hands-On Restoration PerspectiveMark, providing a hands-on restoration perspective, discussed the rarity of involvement at the inception of an event. His emphasis on locking down infrastructure, understanding the threat actor’s persistency, and encouraging robust backup strategies showcased the intricacies involved in restoration efforts.“Restoration efforts often kick in when patient zero is unidentified. Locking down the infrastructure and focusing on repairing affected elements are essential” – Mark Grazman, Fenix24 Notification Strategies and Legal Implications Representing Experian, I shared my perspective on notification complexities that the average consumer may not be aware of, such as notifying everyone upfront versus opt-in processes. The legal implications of notifying on behalf of others and coordinating with multiple parties. The nuanced approach to call center communication and the crucial factor of making details clear in notification letters in minimizing confusion for recipients.I want to emphasize a point I made earlier in the panel on the downstream impact of notification strategies and the need to customize communication for recipients.“For these incidents, it’s most important to minimize complexity on the notification side and minimize confusion for the recipient of your notification letter.” – Ryan Coyne, Experian Insights from an Insurance Claims Handler Tom, as an insurance claims handler, underscored the importance of understanding vendor contracts, particularly clauses related to defense and indemnity. He highlighted the need for transparency in the vendor’s incident response process, especially when the insured isn’t in control, adding a layer of complexity to communication and expectation setting. Crafting a Seamless Notification Process: Public-Private Partnerships Stu Panensky, Moderator: Public-private partnerships emerged as a recurring theme during the panel discussions. The need for collaboration between law enforcement, insurance companies, and businesses became evident. Stu emphasized the role of public-private partnerships in influencing better outcomes and impacting data protection, regulation, and litigation. The insights from the 2023 Beverly Hills Cyber Risk Summit underline the interconnected nature of cyber risks and the critical importance of proactive measures. Stakeholders are urged to adopt a collaborative approach, navigate legal complexities, and stay vigilant in the face of evolving challenges. I welcome you to watch the full discussion on-demand. Watch the panel session on-demand now

In the fast-paced world of cybersecurity, the ability to anticipate and adapt to emerging threats is not just a competitive advantage—it’s a business imperative. As we release our 11th annual “Experian 2024 Data Breach Industry Forecast,” we invite you to embark on a journey into the future of data breaches, a journey that promises to empower data breach professionals, cyber experts, and industry leaders alike. A Glimpse into Tomorrow’s Threat Landscape Our team of experts has meticulously examined the current cybersecurity landscape to identify the trends that will shape the industry in the coming year. The “Experian 2024 Data Breach Industry Forecast” provides a roadmap for staying ahead of these challenges, arming you with the insights needed to fortify your organization’s defenses. Six Pivotal Predictions: Decoding the Future Within the report, we unveil six pivotal predictions that promise to redefine the landscape of data breaches. While we can’t reveal all the details here, we’ll offer a sneak peek to whet your appetite: Six Degrees of Separation: There’s no question that third-party data breaches this year made headlines. Delve into the intricacies of supply chain security and discover why addressing vulnerabilities in the supply chain is the next frontier in cybersecurity. Little by Little Becomes A Lot: When trying to achieve a goal, it’s said that taking small steps can lead to big results. See how hackers could apply that same rule.  Not a Third Wheel: It’s widely known who the main players are globally that sponsor attacks and a new country in South Asia may join the international stage. No, not Mother Earth! Plutonium, terbium, silicon wafers — these rare earth materials present an intriguing opportunity for hackers looking to disrupt an enemy’s economy. The Scarface Effect: Like drug cartels, cybergangs are forming sophisticated organizations. Winning from the Inside: In 2024, we may see enterprising threat actors target more publicly traded companies, leveraging data extraction and their talents in plain sight as everyday investors. This is just a glimpse into the dynamic and evolving landscape detailed in our full report. Download the complete “Experian 2024 Data Breach Industry Forecast” to explore these predictions in-depth and stay ahead of the curve. Expert Analysis: Navigating Complexity with Confidence Backed by extensive research and the expertise of our seasoned analysts, the report provides more than just predictions; it offers a deep dive into the complexities of the modern cybersecurity landscape. Our experts share their insights on how these predictions will impact organizations and individuals, providing actionable intelligence that goes beyond the theoretical. Whether you’re a CISO, a Compliance Officer, or a Cyber Risk Insurer, the “Experian 2024 Data Breach Industry Forecast” equips you to navigate the challenges of tomorrow with confidence. Empowering You to Lead in Data Breach Response As you read through the report, you’ll find that our approach goes beyond merely highlighting problems; we provide solutions. Each prediction is accompanied by practical recommendations and best practices, ensuring that you not only understand the evolving landscape but also possess the tools to proactively address the challenges that lie ahead.Now, more than ever, it’s crucial to be proactive in your approach to cybersecurity. Download the full “Experian 2024 Data Breach Industry Forecast” to unlock the insights and strategies that will set you apart in the realm of data breach response. Your journey into the future starts here. The Future is Now. Are you ready to take the first step toward a more secure tomorrow? Download the report now and lead the way in data breach response. Read more

2023-2024 Experian Data Breach Response Guide Learn how you can boost your preparedness against cyberattacks—download the new guide now. As the proliferation of connected devices and third-party integrations accelerate, organizations are becoming more exposed to risk. Your attack surface is expanding, and it’s a hacker’s dream. But their dream is your nightmare. While there will always be at least one monster hiding under the bed, being prepared and having a plan can help you sleep easier and soften the blow when an attack does happen. How likely is your organization to be the victim of an attack? As pointed out in the 9th Annual Experian Data Breach Response Guide, “Cyber attacks happen once every 39 seconds.[1]  There’s no time to rest, and no time to let your guard down. It’s just a matter of time before your data becomes a target, whether it is a direct hit to your organization or through a third-party supply chain attack (one of the latest trends hackers are using to gain access to huge amounts of data in just one sweep). You never know when your day will come, so being prepared now is the only way. 15% fewer incidents occur on average for customers with a plan.[2] Having fewer incidents helps keep your data safer and your bottom line healthier as the cost of a data breach continues to break records year after year. Learn How You Can Be Prepared Our 2023-2024 Data Breach Response Guide has been updated with the latest predictions, trends, and expert advice based on real-world experience. This is the ninth year I’ve rolled out this guide, and it gets better every year, with deeper insights into the state of cyber threats across industries and current best practices, and step-by-step guidance for creating, testing and implementing a plan for your business. Highlights include: Third-party breaches are rising — A partner breach make up 62% of system intrusions.[3] Healthcare and financial services have the highest volume of breaches, representing over half the share of breaches serviced by Experian in 2022.[4] How having a response plan can save your business—90% of consumers are more forgiving of companies that had a response plan before a breach.[5] How Experian Data Breach Solutions can help your organization respond quickly to and minimize the impact of a data breach Ready to Get Started? A data breach preparedness plan is never a one-and-done deal. It needs to evolve along with the cyber threats it is meant to conquer. Experian is a partner you can trust. We continue to expand our product offerings, keep our eyes and ears on the lookout for rising threats and trends, and use our years of experience to support our partners when they need us most. Download the latest edition of the Experian® Data Breach Guide [1] Zippia, 30 Crucial Cybersecurity Statistics [2023]: Data, Trends and More. [2] Experian Data June 2023 [3] Resmo, Third-Party Data Breach Statistics. [4] Experian Data June 2023 [5] Experian Data Breach Consumer Survey.

Reflections, New Predictions, and What to Expect by 2033.  Where We’ve Been: A Cybersecurity Recap It’s been a decade since Experian released its first forecast. At the time, hacker activity was heating up, and breach "fatigue" was setting in. The report highlighted the budding threat of healthcare incidents, started a conversation about the connection between the cloud, big data, and big international breaches, and was one of the first—if not the first preparedness and response organization to sound the alarm on the cyber insurance surge. Fast forward to 2023: Clever cybercriminals have not slowed, and data breaches are busier and livelier than ever, with cyberattacks costing organizations $2.9 million every minute1, with major businesses suffering losses of $25 per minute.2 Hold on to your keyboard if you’re wondering where the cybercriminals could go next. The Tenth Annual Experian Data Breach Industry Forecast findings offer a road map into the future. findings offer a road map into the future. Literally. It outlines how modern technology, cyber resilience, and cyber recovery will play a role in the next generation of attacks. With six predictions instead of five, this year’s report also candidly reflects on what we got right and where we missed the mark over the last nine years while homing in on what 2023 and 2033 could bring. Nearly 70% of business leaders feel their cybersecurity risks are increasing, and only 5% of companies2 data is probably protected.3 Where We Are: Reality. It’s Not Quite What It Seems With more than 80% of U.S.4 adults expressing some concern about the metaverse and deepfake-enabled attacks up 53% from 2021,5 2023 could see cyberattacks move into unprecedented and unchartered territory. Will keyboards and screens become easy gateways to widespread attacks in seen and unsuspected ways for corporate entities and consumers alike? What about the continued rise of remote work? Will its staying power reveal vulnerabilities? As technology evolves, so too can scams and increased risk. Are you prepared? Globally, cybercrime is on track to cost $10.5 trillion annually by 2025.6 Where We’re Headed: Today and 10 Years From Now The Tenth Annual Data Breach Industry Forecast isn’t a crystal ball, but it’s close. With now ten reports issued and over 18 years of experience servicing, researching, and tracking data breaches, I’ve encountered almost everything in the what-if world of preparedness drills and real-world live incident responses. I’ll end with this fact. Only time will tell what happens next. Until then, if you’re a CISO, cyber risk insurer, CFO, General Counsel, or other professional responsible for or connected to cybersecurity preparedness and response, I recommend you review the Tenth Annual Experian Data Breach Industry Forecast. Your company’s future could depend on it. Read the 2023 Experian Data Breach Industry Forecast 1-2 https://businessinsights.bitdefender.com/what-are-the-biggest-cyber-threats-of-the-future 3 https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 4-5 https://www.varonis.com/ 6 Cybersecurity Ventures, Cybercrime Magazine

When a data breach occurs, it can have a ripple effect on your business, your employees, and your customers. Depending on the severity of the breach, large volumes of personally identifiable information – such as email addresses, birth dates, passwords, social security numbers, etc. – may fall into the hands of unauthorized people who intend to exploit that information for personal gain. While data breaches are difficult to predict, you can take proactive steps to ensure that your business and your customers are well equipped to respond quickly and drive faster resolution. Create a plan The average cost of a data breach in 2023 is $4.45 million, a 15% increase from 2020[1]. This is a considerable loss that can be devastating to a business of any size. The best strategy to mitigate this kind of loss is to be prepared with a data breach response plan. If your business experiences a data breach and you’re unprepared for it, the losses you and your customers incur can be much more serious, and the damage to your company’s bottom line and reputation can last much longer than necessary. By establishing a data breach response plan, you can limit the downside potential of an attack and considerably shorten the recovery time. This can help your business and your customers return to good standing as soon as possible. Arm your team with knowledge The IT department is no longer the only line of defense against cyberattack or data breaches. Many hackers will try to illegally obtain sensitive information from front line or associate level employees using a variety of methods like phishing, ransomware, or social engineering. This puts the responsibility of protecting company data on every employee, not just on the cybersecurity team. This is why it’s important to educate all of your employees on how to recognize potential threats of a data breach. With this knowledge, they can work collectively to keep consumers’ data safe and secure. Address your customers’ concerns effectively If a data breach happens to your business, it’s crucial to notify your customers as soon as possible. Not only should you alert them of the breach, but you should also have a protocol in place to provide up-to-date information, helpful resources, and reassurance. Whether through email, in-app notifications, or call center agents, your customer response process should include clear, frequent, and timely communication throughout the duration of the breach. Keeping your customers informed and at ease during a breach will encourage them to remain calm and feel confident to continue doing business with you. Data breaches and cyberattacks are unpredictable and can have unforeseen, long-lasting negative effects on small, medium, and large businesses alike. But if you have a solid plan, keep your employees knowledgeable about potential threats, and provide useful, timely information to your customers, you can minimize the damage of any breach on your organization. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches. [1]IBM. Cost of a Data Breach Report 2023.

The Threat “With criminals, there’s no such thing as a border anymore. They don’t care where you are, who you are; if there’s money to take from you, they will take it.” That’s what U.S. Secret Service Agent Eric Adams had to say when asked about cybersecurity threats during the “Global Cyber Threatscape & the Role of Law Enforcement” panel I moderated at the latest NetDiligence CyberRisk Summit event. It’s clear to law enforcement that cybercriminals are hyper-connecting, deep information sharing, and crossing virtual borders—becoming more brazen (and clever) by the breach—leaving businesses, insurers, organizations, regulators, and consumers in the cross hairs of compromise, compliance, and recoupment. “We work with law enforcement; we work with insurance companies. We’re collecting data and trying to solve those problems because we understood that if you don’t cooperate before the incident, you don’t work together [at all].” – Michael Bruemmer, Experian During the “Beyond the Arrest: Law Enforcement Roundtable,” Adams and three other cross-border experts, Brian Abellera, Jason Conboy, and Matt Robinson, gave in-depth accounts of “cross-border incident response and the role of U.S. cyber law enforcement and oversees intelligence.” “We’re seeing smaller and medium-sized businesses [being targeted by ransomware]. We are really struggling to keep up with the information flow.” – Matt Robinson, RCMP I frequently talk about how quickly the threats are evolving and how Every Minute Counts in data breach response. The panel echoed this sentiment tenfold, covering five key topics, including “Unique Characteristics of U.S.-Canada Cyber” and “Public-Private International Cooperation.” The Evidence Board “We have to be nimble like the cybercriminals; putting in cyber liaisons internationally.” – Jason Conboy, U.S. Department of Homeland Security Investigations From stem swapping, ransomware revictimization, and romance schemes, the experts discussed how cross-border threats are infiltrating every square inch of the data security landscape. They also focused on the critical role of education, tabletop exercises, and timely incident reporting while zeroing in on how public-private partnerships can influence better outcomes and impact data protection, regulation, and litigation. Watch the full NetDiligence Cyber Risk Summit session on-demand

As we navigate a new way of living, working, and handling the unpredictability of COVID-19 and other potential health concerns worldwide, now is not the time to ease up on data breach preparedness. I’ve said it many times before, and I’ll repeat it, every minute counts in today’s fast-breaking data breach response environment. As pointed out in the foreword of the 8th Annual Experian® 2022 Data Breach Response Guide, “Almost everything is done and undone with a screen touch, keystroke, password, or pin.” It is a convenient reality for consumers looking to make quick, returnable digital purchases, as it is for hackers who can cause irreversible financial and reputational harm to companies and organizations. In this world, it’s not an option to put data breach preparedness on the back burner. Every employee in your organization, from the C-suite to the call center, must stay ready. In 2021, the average cost of a data breach was $4.24 million.[1] Industry Perspectives, Current Data, Consumer Response  New and improved for 2022-2023, our latest Data Breach Response Guide is an in-depth preparedness page-turner, complete with predictions, trends, experienced-based advice from Experian experts, and real-world incident insight informed by servicing breaches over 15 years. The Highlights  I’ve managed the roll-out of this guide for years, and I have to say, this guide is the most comprehensive and data-dense one yet. It has everything you need to learn how to prepare, plan, practice, audit, and manage your crisis response. You’ll get details on: The Rise of Ransomware—one happened every 11 seconds in 2021[2] What do businesses think about response plan drills?—84% agree their plans could be more effective with drills[3] Why hackers’ top industry target is still healthcare) and why How Experian® Crisis Solutions helps companies recover strong, much more Cyberattack Preparation is Paramount Cybersecurity and data breach preparedness is changing by the minute. Experian is expanding its product offerings, staying on top of rising threats, and relying on our deep experience to support partners when they need us most. Ready to learn more about how to stay ready for a data breach? Download the Experian® Data Breach Guide now. For additional preparedness insights, sign up for our free resource hub. [1] IBM & Ponemon 2021 Cost of a Data Breach Report [2] Cybersecurity Ventures, Cybercrime to Cost the World $10.5 Trillion Annually by 2025 [3] Experian and Ponemon. 2022. Ninth Annual Study: Is Your Company Ready for a Big Data Breach

Crises come in many forms, without warning, and can be devastating for any size business. A company’s ability to manage crises, specifically with a crisis response notification plan, directly impacts consumers’ trust and perception of their brand. In today’s digital world, consumers are more informed than ever before and consumer trust is what keeps businesses afloat. If that trust is broken or their needs are not met, consumers will take their business elsewhere. Companies cannot afford to lose customers. Research from Frederick Reichheld of Bain & Company, the inventor of the Net Promoter Score, shows that increasing customer retention rates by 5 percent increases profits by 25 percent.[1] When a crisis occurs, 90 percent of consumers are more forgiving of companies that have a response plan in place.[2] Despite that information, 51 percent of companies admit to not having a crisis response notification plan.[3] While crisis communication can be fairly reactive, it helps to have a crisis communication plan in place to make the process easier. Experian Crisis Response Management features a notification system, call center deployment, and crisis specialists to help companies build trust and confidence knowing that their consumers will be taken care of, which breeds customer loyalty. Our team of experts can help you develop a crisis response notification plan to reach out to your customers during any type of crisis. Here are five key steps to developing an effective crisis response notification plan Step 1: Define Your Objective Before you begin, you must first set a clear goal for your plan. This objective should include what the plan should accomplish, when the plan should be executed, and who needs access to the information being shared. For example, “This plan creates a communication structure with external stakeholders in the event of a crisis that affects the reputation of the company.” Step 2: Create a Contact List To ensure the crisis is well-managed, it’s important that all stakeholders are kept informed. Create a contact list of all employees, customers, users, partners, investors, media outlets, the government, and social media followers. Determine the best method of contact for each of these stakeholders (i.e., print mail, email, phone call, etc.) and include that in the contact list document. Step 3: Determine an Information Sharing Structure Depending on where a crisis originates and the threat level of the crisis, protocols may differ by scenario. To avoid confusion, form a hierarchy outlining how information should be shared within the company. Your hierarchy may begin with notifying the CEO, followed by the head of public relations or CTO. The plan needs to define what information should immediately be disclosed to each individual or team in the hierarchy, such as the source of the crisis and the protocols in place to handle the situation. Step 4: Prepare for Possible Questions and Concerns Customers will want answers and if you are not the one supplying them, they will search elsewhere to uncover the truth. Create a running fact sheet that documents the known information of the situation. This helps to prevent rumors or misinterpretations from spreading to media outlets, keeps all responses in alignment, and makes it easier to field customer questions. Step 5: Assess Your Risks Identify the risks you might face under each plan so that, if it does backfire, you’re prepared for any additional losses. By being prepared for this, you’ll be ready for anything that goes wrong with steps to recover faster. Fulfilling your notifications Once you have determined who will receive your crisis response notifications, it is time to fulfill your obligations. Ensure every access point is covered by creating a notification system with Experian for direct emails, call center processes, and a landing page users can go to for fast information. 1. Notification Options Notification requirements vary depending on the crisis at hand and your customers’ preferred method of contact. Some common examples include: Paper mailings Email notification Web announcement Phone calls You may also consider a multipronged approach, which includes email or paper notifications, supported by a website FAQ and a call center where consumers can get more information. 2. Outbound notification and inbound response management Experian offers sufficient phone, website, and application capacity to absorb the spikes of crisis volume on top of normal operating volumes. This service includes address validation, delivery that covers 100+ countries, reporting and analytics of the notification channels, and a dedicated account manager that oversees the entire process. 3. Experienced team of agents Our team of dedicated account managers have serviced over 50,000 incidents, delivered over 30 million print and email notifications each year, and developed a comprehensive range of products for every need. We stay with you as a resource throughout the crisis process and work with you to recover, repair, and protect your business for the future. No one ever expects a crisis to hit, but when it does, it’s important to have a plan in place. Having a dedicated team who can help you navigate through difficult times is essential to quick recovery. At Experian, we understand the importance of customer trust and we help companies recover from crises quickly. Our team of experts are available to help when you need it most. Learn more about our Crisis Response Management services ____________________________________________ [1] Bain & Company. 2001. Prescription for Cutting Costs. [2] Experian. 2019. Data Breach Consumer Survey. [3] Deloitte. 2020. A crisis of confidence.

What if there was a way to assess your data security readiness before a breach happens? Imagine the worst thing that could happen to your organization. Your system is hacked, exposing proprietary and confidential information including upcoming projects and consumer data. Consumer identity theft incidents skyrocket under your name. Competitors begin to take notice and pounce on their opportunity to move into your customer base. Your employees begin to fear for their job security and your consumers fear for their financial safety. With so much at stake, you need to have a solid plan in place before a data breach occurs. The best way to improve your organization’s cybersecurity is by conducting data breach simulation, which means testing yourself for vulnerabilities before threat actors do. Verizon’s Data Breach Report shows that 85% of breaches involved a human element, while only 3% involved vulnerability exploitation.[1] Unfortunately, humans are prone to error. According to the results of Terranova Security’s 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links.[2] Verizon’s report also found that stolen or misused credentials were responsible for 61% of data breaches. The most dangerous passwords to have stolen are those that provide privileged access to your organization’s networks. It is critical to have a Password Manager to protect your assets. Experian offers data breach simulation and breach response exercises that test your digital defenses. We will assess what you can do before, during, and after a simulated attack to enhance your response plan. Before: Consider how often you want to run these tests. They can take place once a year, every six months, quarterly, monthly or any other desired frequency. Determine if you want to use in-house staff or hire internal teams to conduct the exercises. Research potential threat actors who are most likely to target your industry and compile a list of possible aims and methods for each one. Identify targets and also non-targets — resources that are off-limits. Form clear objectives. For example: Infiltrate specific business network, steal the credentials of the IT administrator, and exfiltrate financial data. Define the parameters of the plan by determining where the simulated attacker got their information (i.e., insider information or public knowledge) and what they would know. During: Launch the attack (Example: send a phishing email to get a victim to install malware through link) Monitor both physical and digital access points Take note of departments and staff that are most likely to be targeted in an attack. Assess internal threats and openings for security breaches. After: Review incident response plan with gap analysis Did an internal employee make an error of opening a malicious email attachment? Did the simulated attacker gain access to an area they shouldn’t have been in? Did any alerts go off in the process, or fail to go off? Was physical security able to stop threats on the ground? Rank vulnerabilities and weak spots in order of which need to be fixed first. Test the changes by repeating the attack to see if the problem has been solved. The best way to fight a threat actor is to understand their methods and fix your vulnerabilities before they can be exploited. Through data breach simulation attacks, you can find out where your weaknesses lie before an actual attack takes place and let the assessment inform the development of risk mitigation strategies and action plans. For more information on how you can protect your business from data breach threats, visit us at Experian Data Breach Resolution. Experian has the tools and resources you need to stay ahead of the curve in today’s digital world. Visit our website [1] Verizon. 2021. 2021 DBIR Master’s Guide. [2] Terranova Security. 2020. Gone Phishing Tournament.

Data breaches are becoming more common, and you need to be aware of the risks to effectively protect your business. A breach of consumer data can destroy the trust you have built with your consumers. When your company’s revenue relies on your reputation, consumer trust is your greatest asset. Below are five data breach statistics that you should know, along with some tips on how to protect your company. 1. There were 1,862 data breaches in 2021, breaking the previous record[1] This number surpasses both 2020’s total of 1,108 and the previous record of 1,506 set in 2017. Eva Velasquez, president and CEO of the Identity Theft Resource Center, called the number of breaches “alarming” and went on further to say, “There is no reason to believe the level of data compromises will suddenly decline in 2022.” The rise in breaches underscores the urgency for organizations to ensure compliance with regulations like the California Consumer Privacy Act (CCPA) and HIPAA to properly secure data (or face hefty fines). This is made more challenging as organizations struggle to adapt to more remote work practices while trying to manage the massive amounts of data they hold. Practicing good cyber hygiene is essential to protecting your and your consumers’ personal information. 2. Ransomware attacks in the U.S. alone account for 30% of all cyberattacks last year[2] At Experian, we’ve seen an even higher occurrence of 59% of the events serviced in 2021. These types of events have nearly doubled in the last two years, and at this rate of growth, ITRC said ransomware will surpass phishing as the top cause of data breaches in 2022. Ransomware events take, on average, over 20% more time to begin, which means more lost time and money for your organization. 3. The average ransom demand was $5.3 million which is a 518% increase from the 2020 average of $847,000.[1] A data breach not only costs your organization money, but also your time, resources, and reputation. Hackers are getting smarter and more sophisticated with their attacks and demands making it harder for organizations to respond effectively. Experian’s 2019 Data Breach Consumer Survey Report revealed that if you are breached, consumers want to know about it within 24 hours.[2] If you do not have a response plan in place, a mass notification in an emergency can overwhelm your resources and damage the trust you have built with your customers. 4. 95% of cybersecurity breaches are due to human error[3] Most data breaches can be prevented if you take the right precautions. The best way to avoid a data breach is by providing your employees with proper training, such as phishing awareness. This will help them identify any malicious emails or websites that might expose company information and reduce the likelihood of your organization being hacked. In addition to employee training and awareness programs, organizations should look to bolster their cybersecurity measures with tools like threat detection, multi-layered defense mechanisms, and routine security audits to identify vulnerabilities before bad actors do. 5. 90% of consumers are more forgiving of companies that had a response plan in place prior to the breach.[4] If your organization does not have a response plan in place, it could be game over for your brand. A significant number of survey respondents (81%) would stop engaging with a brand online following a data breach.[5] The expectation from consumers is that a company is always responsible for protecting data. Building consumer trust is key to maintaining lasting customer relationships and managing your company’s bottom line. Should a breach occur, it’s critical for organizations to effectively manage the breach with a comprehensive incident response plan to mitigate the impact on your customers. Unfortunately, data breaching is a problem that is here to stay. At Experian, breaches are our business. We know ransomware breaches have more complex FAQs, letter versions, and increased call center escalations. Learn more about our Reserved Response solution [1] Identity Theft Resource Center. 2021. 2021 Data Breach Report. [2] Verizon. 2021. 2021 Data Breach Investigations Report. [3] Palo Alto Networks. 2021. Extortion Payments Hit New Records as Ransomware Crisis Intensifies. [4] Experian. 2019. Data Breach Consumer Survey. [5] Cybint Solutions. 2020. 15 Alarming Cyber Security Facts and Stats. [6] Experian. 2019. Data Breach Consumer Survey. [7] Business Wire. 2019. 81% of Consumers Would Stop Engaging with a Brand Online After a Data Breach, Reports Ping Identity.

Experian has been a sponsor of the Annual Ponemon Data Breach Preparedness Study for nine years. During this time, I’ve seen companies change their operations to address the influx of increasing threats and evolve their infrastructure to prepare and react. Although I’ve had a front-row seat in this fast-changing situation, somehow, every year, the results of this study still surprise and intrigue me. Speaking of Infrastructure, Let’s Talk Supply Chains The 2022 report explores the value of Business Continuity Management (BCM) and Crisis Management plans to minimize a data breach’s consequences. This topic is similar to one highlighted in our 2022 Data Breach Industry Forecast, which echoes that companies and organizations should expect these two areas to gain momentum, a finding based on predictions that natural disasters will continue to complicate supply chains. Also, the Forecast indicates that infrastructure cyberattacks will increase among the electrical grid and transportation networks. This Year’s Surprise Given all that we know and have gathered about data breaches over almost a decade, it was shocking to learn that this year’s Ponemon study found that only 56 percent of organizations have a BCM plan, and 53 percent have a crisis management plan. I seriously thought those numbers would be significantly higher. It goes to show there’s much more opportunity, learning, and preparation to go around. Cyber Threats and Third Parties The 2022 report also demonstrated third parties’ role in data breaches. We saw that third parties in the supply chain were the cause of 50% of reported breaches, which increased to 53% when looking at only U.S.-based companies. This data point is critical because as dependence on third-party vendors increases to improve customer experience, adapt to remote work, or improve operations, companies need to be more diligent in checking the cybersecurity protocols of their partners. If not, vulnerabilities to cyber threats can increase. Also, a lack of adherence to ever-changing government regulations could cause legal troubles. I’ll close with one last point I found interesting: While 91% of organizations have data breach plans in place, only 56% require an audit of third parties, exposing them to a breach. This information illuminates the point that companies need to consider all facets of their business when planning for a data breach – that’s one thing that shouldn’t come as a surprise.

New Year, New Cyber Threats This is my first blog post of 2022, and I’m afraid the news I’m here to bear isn’t ideal: cyber attack stakes are high. In 2022, hackers are literally betting on a growing market spreading online across the U.S. Before I get into our Data Breach Industry Forecast, let’s take a quick look back. In 2021, we witnessed a sea of change in digital connectivity and activity during the pandemic. As vaccines became widely available and distributed, the recovery, on all fronts, felt close. But now, as new variants continue to develop and spread, it seems like we are in a one-step-forward, two-steps-back scenario—what the Ninth Annual Experian Data Breach Industry Forecast calls the “Cyberdemic Hangover.” As we aim for stability in 2022, companies must continue to secure weak technologies, and consumers must be vigilant in their daily digital lives. The 2022 Data Breach Industry Forecast report tells the story of what we’re facing this year better than I can, so I encourage you to download a copy. However, here’s a preview of one prediction to get you started. Hackers Bet on New Gamblers Again, cyber attack stakes are high. The online gambling market reached more than $70 billion globally in 2021. With more U.S. states legalizing online sports, cyber thieves will look to place scams, particularly phishing scams, on the likes of fantasy sports sites and more. The possible targets will add up over the course of the year as this market grows and alternative payments like cryptocurrency become more widely accepted. Experian’s deep expertise in helping companies navigate more breaches over the last 18 years informs the other four predictions. To find out the other areas hackers are hoping to cash in on this year, download the predictions now. Visit our website for Data Breach Resolution and Reserved Response™ insights

Hackers are playing the game of data compromise, and they are winning. At this point, companies of all sizes, from all industries, know that consumers have a growing desire to take control of their data and digital privacy. In case you missed the latest webinar and whitepaper release from Javelin Strategy & Research, it makes three things clear about consumers’ current attitudes about fraud and its impact on businesses. 1. Consumers are much more privacy-aware In 2020, consumers turned to social media and telecommunicating platforms to work, stay in touch with friends and family networks and learn. While the broad-scale increase provided a way for global commerce and connections to continue during the worldwide pandemic, it also accelerated cybercrime. The influx of internet traffic created a ready-made environment for fraudsters to profit from consumers in a big way, primarily through scams. Scams were so profitable that they accounted for $43 billion of the $56 billion reported ID fraud losses last year.1 2. Consumers blame Financial Institutions for fraud. It’s the main reason they leave.  When consumers experience fraud, they blame their financial institutions, even if the loss has nothing to do with the institution or its business’s responsibility to the consumer. This attitude shows that consumers hold FIs accountable for their data protection. And when they don’t get it, they take their expectations and their business elsewhere. The data shows the proof. In 2020, 38% of consumers closed a bank account affected by fraud, with 69% saying their primary FIs did not resolve their fraud concerns or losses.1 As the saying goes, perception is reality, and in the case of fraud, consumer thoughts have real consequences for organizations. 3. Consumers leave when breaches happen This point is simple: consumers leave even when personally identifiable information (PII) or other data is not stolen. Be prepared with a playbook or be ready to lose consumer trust To improve the customer experience, build trust and reduce risk, companies need a playbook — a fraud resolution and breach response playbook — a solid plan that falls under their existing business and continuity disaster recovery plan. Why? Because consumers need to know and, more importantly, trust that companies are prepared to react quickly and deliver resolution when a network intrusion occurs.  According to Javelin Strategy & Research data, fraud resolution is the best way to retain customers and members. In addition, consumer perception of cybersecurity plays a significant role in consumer attrition and retention. Again, even if personal information is protected, if your organization is attacked, consumers are more likely to stop doing business with your organization, even if no data was compromised. This means cybersecurity and fraud prevention empowerment is a game-changer, driving 22% of consumers’ satisfaction ratings with online banking.2 When building your playbook, consider two core things:  1. Make sure it’s well-developed A comprehensive fraud resolution and breach response should include a solid approach to collaborate with consumers when fraud occurs. Ensuring your plan includes fraud, cyber, and marketing communications teams will help your company act swiftly and build consumer confidence. 2. Don’t just encrypt data; strengthen perimeter security.  Strong perimeter security will ensure safe interactions with consumers. Even if personal information is protected, consumers will perceive a penetration of the network as a breach and will be more apt to stop doing business with your company. At Experian, preparedness is our business. We know how important fraud resolution and breach response is to your customer’s experience. Developing a solid playbook is key to that experience, building trust and reducing risk. To learn more, read the Giving Consumers Control and Enhancing Fraud Prevention whitepaper, watch the Empowerment and Fraud Prevention are Key webinar and find out how to protect your business with Experian’s Global Data Breach Solutions. 1 Javelin Strategy & Research. March 2021. 2 Javelin Strategy & Research. June 2021.

As today’s fastest-growing form of criminal activity, cybercrime is expected to cost organizations $6.1 trillion worldwide this year alone,1 with attacks on enterprises now occurring every 11 seconds2. But despite increasingly widespread growth in corporate IT security awareness, the importance of putting a sound data breach preparation plan in place for protecting your customers’ privacy and data can’t be underscored enough. Given the scale of IT security threats, it bears reminding: Network compromise is now largely a matter of when, not if for most businesses. As a result of this shift in security and operating environments, it’s important for enterprise leaders to note the six key reasons that most data breach responses fail: No Budget: Despite the seeming inevitability of a data breach, most companies’ average annual budget for a consumer response is exactly $0. Many companies and security teams believe they are fully prepared or won’t be targeted. But with losses due to ransomware attacks up 225% lately in the US alone3, it can be an expensive gamble to make. Never Tested: Even if a company does have a data breach response plan in place, it’s not usually been stressed-tested via live exercises and drills. Having a plan in place is a great first step, but unless you test it in a live breach simulation or exercise, you can’t be certain the plan will be successful. Unknown Impact: It can be hard to know how much of your customer population has been impacted by the breach. Your plan needs to be flexible enough to accommodate both small and massive breaches. No Estimate: Data breach responses also fail because there is no estimate for the scale of phone calls, emails, and complaints that may be received. To put things in perspective: A small data breach is MUCH different and easier to remedy than a one involving millions of records. Slow to Respond: By law, firms that suffer a data breach must now report the incident to government authorities within 72 hours. Failure to address increasing regulatory compliance and information sharing needs (which demand greater oversight and overhead from organizations), can come with hefty fines. No SLAs: Companies often don’t have the necessary agreements to guarantee the infrastructure and staff to assist consumers with resolving their cases. Having a dedicated, guaranteed number of call center agents ready to go when a company experiences a data breach is invaluable. To improve your odds of successfully defending against and responding to breaches, you’ll want to focus on strengthening four areas of operations: Guarantee Resources: Ensure that you have dedicated security resources and prepared to react to threats on the turn of a dime. Your SLAs should include well-trained, certified call center agents and the infrastructure ready to go. This should include scalable and high quality identity protection services to resolve harm to your customers. Readiness Testing: Failing to plan (i.e. not stress-testing your recovery plan prior to incidents occurring) is like planning to fail. By rehearsing your disaster response and recovery strategies, you’ll be able to identify any points of failure and shortcomings that you can improve upon before actual concerns arise. Regulatory Needs: Emphasize quick and accurate responses to regulator inquiries by understanding the specifics for your industry and business. Communications: Having a corporate communications plan ready to go in real-time is also key. Connect with your communications team to create a communications response plan prior to any incidents occurring so that all you largely need to tweak are specifics on the day of the event. According to studies by IBM, companies can save $1.2 million off the cost of data breaches by having an incident response plan in place and extensively testing it before cyber threats strike. Bearing this in mind, the best defense against digital dangers is a good offense. Experian’s Reserved Response™ was created to help organizations take a proactive approach to data breach response planning. Deploy it to put an end-to-end game plan in place and implement a step-by-step playbook that workers can follow in the event of  an incident. You’ll also guarantee that your organization gains the necessary manpower, infrastructure, and response readiness needed to ensure ongoing network resilience and a speedy recovery should disaster strike. 1 Cybersecurity Ventures, Annual Cybercrime Report 2020 2 Cybersecurity Ventures, Cybercrime to Cost the World $10.5 Trillion Annually by 2025 3 Cyberreason, Ransomware: The True Cost to Business Study 2021