Cybersecurity is now at the forefront of regulatory safety. With such a new and ever-expanding range of potential dangers cyberattacks pose to regulators, it can be overwhelming to consider every possible consequence at all times.
The silver lining, however, is that there are basically three main types of consequences a regulator may face if they are victim of a successful cyberattack: disruption to work, financial costs, and loss of confidence. Knowing these consequences can help regulators better evaluate threats as cyberattacks only increase in frequency and severity.
Disruption to Work
A disruption to work and resultant loss of productivity have occurred when a cyberattack leads to a shutdown of the systems the regulator uses. The time and costs associated with a disruption will vary according to the regulator’s preparedness. A regulator left scrambling without backups or a disaster recovery plan will likely face a longer period of interruption. Depending on the extent of the damage, staff may resume work while the problem is resolved. Alternatively, the fix may require time and resources, especially if it involves potentially compromised data.
In addition, licensees, applicants, complainants, and other potential victims must be contacted according to privacy laws in affected jurisdictions. This effort is completely outside the normal day-to-day operations of a regulator, causing further delays and distractions and sometimes creating additional costs to the regulator if outsourcing is required, which brings us to the financial impacts of cyberattacks.
Financial Costs
Data breaches present very direct financial consequences, particularly when regulators choose to pay the cybercriminals involved. However, payouts are generally avoided since they reward bad behavior and demonstrate to other cybercriminals it can be a lucrative venture. Many enforcement organizations, including the FBI, discourage any payout.
However, even when attacks do not involve data held for ransom, there may be other costs associated with actual or potential breaches. Some costs are more easily calculated while others may be more hidden or harder to quantify.
This is not an exhaustive list, but these costs can include:
- Payment of insurance premiums to activate a policy the regulator may have for dealing with cyberattacks.
- Legal and administrative costs to ensure the regulator decreases its exposures and meets any other legal requirements.
- Investigation and consultancy costs.
- Labor costs, such as overtime paid to staff who must to deal with the attack either directly with IT staff, or indirectly through lost work hours, etc.
According to Verizon’s 2021 Data Breach Investigation Report (DBIR), the median cost of a breach is about $21,000. However, the amount of money allocated to respond to a breach changes depending on the analytical perspective taken. For instance, the DBIR indicates that if an organization planned for the median of 80% of breach impacts, that number then runs from about $2,000 to $194,000.
In addition, costs will emerge from loss of productivity or disruption to work. This may be particularly hard for regulators to quantify since they do not traditionally operate with a profit model. Other “human” costs will be associated with waiting customers and the introduction of more manual and complex processes.
Public Confidence
A crucial function of any regulator involves maintaining and even boosting public confidence in its operations. If a regulator’s fundamental mandate is to serve the public interest, they must do so and be seen as doing so, otherwise public trust and confidence is eroded.
Regulators who do not take adequate steps to protect public and licensee data risk losing public confidence and potentially government confidence. Serving the public interest includes maintaining the confidentiality of data meant to be private. This does not mean simply taking steps to prevent breaches, but also responding appropriately if a potential breach is detected.
The September 2020 attack on the College of Nurses of Ontario (CNO), one of North America’s largest regulators, demonstrates this point well. CNO fell victim to a ransomware attack, which potentially compromised the data of almost 200,000 licensees and caused a major disruption to work, including preventing the regulator from processing renewals or new applications. While the regulator did not pay the ransom, both the loss of work and investigation created considerable additional costs.
Importantly, a perception emerged that CNO was not wholly transparent about the breach with the public and licensees. News articles focused on this aspect and reported that two of the major nurses’ unions as well as the major association expressed frustration and anger at the lack of notification and information about the breach. Vicki McKenna, president of the Ontario Nurses’ Association (ONA), said she was “outraged that I didn’t know as a member of the college that this had happened” after she learned about the breach in a CBC report.
A regulator will often try to manage its relationships with licensees and the public by continually demonstrating they are fulfilling their mandate effectively. These relationships can be fraught with sensitivity and tension. Regulators should avoid adding more stress and tension to the equation by giving the public and licensees more reason to question the regulator’s operations. In addition, regulators risk losing the confidence of staff, who may have to perform extra work and field phone calls and emails from frustrated and angry licensees.
The consequences that cyberattacks pose to regulators are manifold, but that doesn’t mean they have to be incomprehensible. By considering the most common dangers they face under cyberattacks, regulators can better prepare themselves to avoid the worst of these consequences and take measures to prevent them in the future. This is only part of our latest downloadable whitepaper, in which we break down regulatory cybersecurity practices and consequences from multiple angles. Click here to learn more!
Jordan Milian is a content writer at Thentia with a professional background in journalism and marketing.