Pre-breach readiness agreements: The key to cybersecurity compliance
Cyber threats rise, prompting stricter global security regulations
Organisations worldwide face the ever-present threat of cyber-attacks impacting their systems and data. No organisation is immune from these harmful breaches, particularly as more systems and processes are digitised and fraudsters deploy increasingly sophisticated, AI-driven tools to infiltrate IT networks.
Governments recognise the widespread harm and disruption caused by these attacks to individuals, organisations and economies. To address the growing threats, stricter regulations are being introduced to ensure businesses improve their resilience and implement effective measures to keep threat actors at bay. Regulators such as the Information Commissioner’s Office (ICO) expect and are calling on organisations to do more to combat the growing threat of cyber attacks[1].
Regulations demand greater operational resilience
In the EU, the Digital Operational Resilience Act (DORA) came into force in January 2025, requiring the financial sector to strengthen IT security, operational resilience and third-party risk management. Financial institutions are especially vulnerable to cyber-attack, given the sensitive data they hold and their increasing reliance on digital technologies to deliver services. Existing NIS cybersecurity legislation in the EU will also be strengthened in June, when the NIS 2 Directive is implemented. This mandates more stringent security measures, risk management and incident reporting.
In the UK, the forthcoming Cyber Security and Resilience Bill aims to improve cyber-defences and protect essential public services. It will expand regulation to protect more digital services and supply chains, reinforce regulators’ powers to ensure cybersecurity measures are implemented, and mandate increased incident reporting.
Need to demonstrate incident readiness
These strengthened regulations are focusing the minds of many business leaders on the need for greater operational resilience, including greater preparedness to recover swiftly from a data breach. At Experian, we have seen increasing interest in our pre-breach crisis-response services from financial institutions and multi-national organisations, as well as from insurers and law firms advising clients on compliance and cybersecurity.
The need to have pre-breach measures in place has led many large corporates to sign up for services that equip them to deal efficiently with any data breach and the subsequent consumer response. Experian offers a suite of such services, from entry-level Response Aware which is free to sign up for and offers a pre-agreed contract and fixed rates for post-breach services, through to Response Protect which includes resource modelling, scenario planning and simulation exercises.
Big firms planning for efficient crisis response
We have found many large corporates opting for the entry-level service to comply with regulatory requirements, but also because they recognise the limitations of their own internal sign-off processes. In many large businesses, contracts can take up to ten days to gain approval. In the event of a data breach, firms cannot afford to wait for a crisis-response contract to be approved, since any delays in tackling the breach will exacerbate financial, reputational and operational damage. The Experian Response Aware service gives these firms a pre-signed crisis-response contract that be actioned immediately following a data breach, without further sign-off delays.
There is a legal duty to notify the ICO within 72 hours if personal data has been compromised. Organisations that fail to inform customers promptly and mount an effective recovery process, face further fines and lack of preparedness is not looked on favourably by regulators. Consumers also want to know quickly if their personal data has been breached and our own independent crisis response research found that 53% of consumers would file a complaint if an organisation handles a crisis poorly, and 42% would move their custom elsewhere.
Aside from achieving regulatory compliance and assuring stakeholders of readiness to deal with a data breach, having a pre-engagement agreement in place can also help lower insurance premiums. The largest claims following any cyber-attack are usually for business interruption. Anything a firm can do to reduce disruption to their business following a cyber-incident is therefore likely to be viewed favourably by insurers.
Assess consumer-response readiness
With the arrival of DORA and similar regulations, lawyers, insurers and other business advisers are now instructing clients that having a pre-breach agreement in place is a good first step – to reinforce resilience and ensure they are ready to respond if the worst happens.
Beyond this, many firms are being advised to carry out desktop scenario exercises to assess how they would deliver a consumer-notification programme following an incident. Such desktop exercises can help firms understand their level of preparedness for a consumer response. It’s already common to carry out such scenarios for IT resilience and disaster-recovery. Conducting a consumer-response desktop scenario can help companies gauge what further support they may need, and whether they have the resources available to mount an effective response.
Regulations aim to protect consumers and data
The ultimate aim of all cybersecurity regulations worldwide is to protect the rights and data of consumers. Firms can strengthen their compliance by protecting consumer data and ensuring it is not exposed to risk. If data is breached, firms must be able to demonstrate they have effective mechanisms in place to support those impacted, respond effectively and restore data quickly.
Recent regulatory pressures have highlighted the value of pre-breach crisis-response services, helping firms introduce pre-emptive measures to protect and reassure customers and stakeholders – and satisfy the regulators.
How can we help?
If you’re concerned about meeting the requirements of new cybersecurity and operational resilience regulations, please get in touch with our crisis and data breach response specialists via email to book your consultation or call 0844 4815 888 to talk about the Reserved Response options and consultancy available to you.
Alternatively, please visit our website for more information.
Further reading
Crisis response
This white paper presents the experiences of businesses and individuals during the 18 months up to December 2021, the subsequent response and outcomes.
Why it’s essential to put your consumer response plan to the test
Why understanding the implications of a data breach and its impact on your organisation is an important first step in developing a response plan.
How to understand the true implications of a data breach for your organisation
Communicating with customers, handling queries and allocating sufficient resources. Why is it better to be proactive rather than reactive to a data breach?
As threats to data security grow, how can organisations mitigate the risks?
No matter how secure your cyber defences, there are many ways that fraudsters can exfiltrate your data. Is your business ready to respond?
What is Fraud Prevention?
Many of us know a time when a bogus email encouraged us to click on an untrustworthy link. But what exactly is fraud, particularly when it comes to banking?
Fraud Analytics guide
Fraud analytics is the use of data analytics in the role of fraud prevention. Find out more about what it is and why it matters in this guide from Experian.
2023 UK Identity and Fraud Report
Our report explores the concerns, preferences and needs of today's digital consumers and their online experiences. Download now.
Streamline regulatory compliance with accurate, convenient age verification
Many online businesses need to carry out age verification checks, but the UK government has brought new legislation into force. Find out more.
What is a phoenix business?
The practice of setting up businesses multiple times to avoid paying debts. Read our infographic to spot the potential signs and protect yourself from financial crime.
Detect, prevent and deter UK B2B Fraud and Money Laundering
In our webinar series, discover the key trends around how criminals are exploiting UK business to perpetrate fraud and financial crime.
[1] Organisations must do more to combat the growing threat of cyber attacks Information Commissioner’s Office