In this article we consider the financial elements of a business case for moving to a new operating model based on a centralized approach to data management and protection.
Firstly, we’ve estimated the costs of managing a breach. For organizations that have an outdated operating model and where regulatory compliance is not high priority, this is a possible scenario so calculating the costs is a valuable part of the business case. It also serves as a wakeup call for anyone who thinks compliance isn’t a priority.
Next, we’ve estimated the cost and benefits of implementing a new operating model that address the business imperatives listed in our previous article.
Our summarized calculations are tabulated below, and the remainder of the paper explains the assumptions that underpin them.
Introduction to calculations1. Actual costs and benefits will vary depending on the characteristics of the organization, but we’ve assumed an example distributor with the following profile:
2. Many of the costs relate to resource effort and we’ve used salaries that were updated in May 2018. These, and other costs, all refer to the US.
3. All costs are for one year unless noted otherwise (e.g. in the Benefits section we have only included costs for one year for the IT systems although, in reality, many of these would be recurring costs).
Estimated costs of managing a data breach
In the immediate aftermath of a breach, we would expect a small team of business and IT resource to be allocated to make emergency fixes and implement the business recovery plan. Crisis and PR management makes up the remaining costs and covers:
- Cost of specialist PR advice.
- Press adverts. The need to do this will depend on the extent of the breach but is nevertheless worth including. (In response to the data breach earlier this year, Facebook ran ads in several UK and US national newspapers and paid $millions to do so - the typical cost of a mono ad in the New York times is about $150,000)
- Proactive PR activity to try and limit the reputational impact.
- Senior management meetings, including Board execs and non-execs.
- Shareholder communications, including the Regulator.
Depending on the scale of the breach, GDPR requires that you contact customers whose data has been compromised. Regardless, you should consider it good practice to make customers aware of what’s happened and what you’re doing about it. We’ve assumed two mailings to the entire customer base – one after the incident, the other after remedial action has been completed – and in-house marketing team will handle social media placement.
Incident Investigation & remediation
A SWAT team will be allocated to investigate the root cause of the incident and create a full remediation plan. They’ll also need to support any information requests from the regulator.
The remediation plan is likely to include:
- updates to policies and procedures
- data restoration and validation
- staff re-training
- new or updated systems – we’ve assumed the company would implement the same solution we have considered in the cost/benefit calculation below.
We’ve assumed the organization will already have a Data Protection Officer (DPO) since this role is often combined with another compliance management role, but we’ve included an assistant DPO given the heightened attention from the regulator.
Losing customers and prospective customers is a likely outcome, as this report by Cisco illustrates, although having a robust incident response plan will help minimize the loss. For the purposes of our calculation we’ve assumed a loss of 5% of the customer base and 5% of the pipeline.
Fines imposed by the regulator
Fine maximums are theoretically high – for example, GDPR can levy a fine equivalent to 4% of global turnover – but have never been applied. Although it’s not wise to make business decisions on that assumption, a more realistic approach is to look at historical trends and draw from that. In 2016, 35 UK companies were fined a total of £3.2. giving an average fine of £91k or $122k.
This includes legal costs to defend lawsuits and compensation pay-outs. Our example company will likely be servicing some large enterprises, who are more likely to take legal advice, so compensation pay-outs could be large, particularly if they are pursued as a class action.
Having felt the effect of one breach, its likely you’ll insure against another, or you’ll see your premiums rise for the policy you already have. Pricing obviously varies by org characteristic, history, scope and amount of cover required, but the average cost of a data breach claim is $3.2m and we’ve estimated the cost of a policy covering that amount.
End user remediation
Since the breach will cause disruption to end users in the customer organization, we expect our example company will have to make a contribution towards remediation activities, for example by providing new cybersecurity software.
Cost and benefits of implementing a centralized data management and protection system
From the analysis above we can see that the cost of noncompliance is significant, but what’s the cost, and benefits, for pre-empting the problem and establishing a centralized data management and protection system?
Most companies won't be starting from a zero base and will have some sort of compliance process in place, so we've kept costs on the lower side and reflected the work needed to move from 'ok' to ‘good practice'.
Data protection regime initial set up
It will be beneficial to have some legal and business consultancy advice to layout the full list of regulations you will have to comply with now or in the next 3-5 years and we have 10 man days from a mix of legal and business consultants.
A gap analysis of current business and tech operations against future requirements can then be done and an action plan for the required change developed. We’ve assumed 30 man days effort from business, tech and marketing teams to do this work.
We’ve also included some effort for a data audit. This is specifically driven by GDPR, where you need to ensure you have appropriate consent in place for all personal data you store, but will be also be relevant for other regulatory requirements.
Policies and procedures
The business team will need to review and revise policies and procedures and the tech team will then have to reflect these in business applications and workflow.
As we noted earlier, Data protection and cybersecurity are closely linked, and we recommend that a review of the organization’s entire cybersecurity arrangements is re-done. This can be done at the same time as policies and procedures are being changed and we’ve assumed 20 man days effort for the work.
Service provider contracts
Review / amend 3rd party contracts to reflect any dependencies you have on them for regulatory compliance.
Business continuity management
Regulators will expect to see a robust business continuity plan (BCP) so we have included effort for its creation or update and an annual cost to keep it in order. In the section above – costs for managing a data breach - we referred to a breach response plan and it should be included in the BCP. Assuming the right skills are used this shouldn’t take a lot of time – about 6 man days should cover it.
Online and offline data privacy notices need to be updated, as will the tools used for requesting and storing consent for the use of personal data. As you move to the new operating model you will need to keep your customers informed. A lot of this can be done electronically but we’ve included $50k for paper mailings to 20% of the customer base.
Employee Training and Comms
A total of 15 days for a Training Manager, 7 man days from the marketing team, to help with comms material prep and issue. We've assumed all front office staff will require a total of 1 days training, probably spread over a few sessions, and back office staff about half a day and we've included the associated cost of unproductive downtime.
Centralised Business Management system
This is a single system that is cloud delivered and provides consistent functionality to all offices and staff. We’ve assumed a small IT team would be based at HQ to provide remote support and systems management.
Based on our experience we’ve assumed renewals would increase by 10% and policy sales by 3% as a result of implementing a centralized business management system.
Savings come from removing the need for a discrete system in each office, the associated hardware and software support and the likely need to have onsite IT support for system management and user support.
Productivity improvement can be dramatic, up to 60% in our experience, due to improved workflow, reduced data entry/re-entry and reduction in manual processes. The value noted in the table is the improvements across all back-office staff and would be realized by reducing the number of staff or increasing the number of premiums being managed without incurring any additional cost.
Reduced staff churn
We’ve assumed a ‘normal’ staff churn of 4% - although this could be significantly higher as staff become disillusioned with the current operational setup – that is reduced to 1% once the new operating model is implemented. The costs are made up of recruitment fees for replacements, but we have not assumed any cost for overtime payments for other staff to cover work in the interim.
We estimate the cost of onboarding new staff, typically undertaken by senior staff, will reduce by about 70% since business processes are automated and all data centralized meaning training can be done much quicker and non-productive time for both staff is significantly reduced.
Of course, you don’t need to implement a centralized approach to data management and protection, but the other options have their own issues:
Use a compliance ‘bolt on’: Some vendors claim to offer a compliance system that can sit on top of existing platforms, but this apparent simplicity disguises the challenges of integration and data management. In effect, to implement something like this will take almost as much effort as doing the work properly.
Address each regulation as they arise: You could take a piecemeal approach and incrementally change the operating model and tech to comply with each new regulation, but this will quickly become very costly as process and system changes have to be repeated.
The costs of a breach can be huge and the benefits of implementing a centralized business management system far outweigh the costs of doing so. But how do you get there? That’s the subject of our next article.