Pre-breach readiness agreements: The key to cybersecurity compliance

Regulations demand greater operational resilience

In the EU, the Digital Operational Resilience Act (DORA) came into force in January 2025, requiring the financial sector to strengthen IT security, operational resilience and third-party risk management. Financial institutions are especially vulnerable to cyber-attack, given the sensitive data they hold and their increasing reliance on digital technologies to deliver services. Existing NIS cybersecurity legislation in the EU will also be strengthened in June, when the NIS 2 Directive is implemented. This mandates more stringent security measures, risk management and incident reporting.

In the UK, the forthcoming Cyber Security and Resilience Bill aims to improve cyber-defences and protect essential public services. It will expand regulation to protect more digital services and supply chains, reinforce regulators’ powers to ensure cybersecurity measures are implemented, and mandate increased incident reporting.

Need to demonstrate incident readiness

These strengthened regulations are focusing the minds of many business leaders on the need for greater operational resilience, including greater preparedness to recover swiftly from a data breach. At Experian, we have seen increasing interest in our pre-breach crisis-response services from financial institutions and multi-national organisations, as well as from insurers and law firms advising clients on compliance and cybersecurity.

The need to have pre-breach measures in place has led many large corporates to sign up for services that equip them to deal efficiently with any data breach and the subsequent consumer response. Experian offers a suite of such services, from entry-level Response Aware which is free to sign up for and offers a pre-agreed contract and fixed rates for post-breach services, through to Response Protect which includes resource modelling, scenario planning and simulation exercises.

Big firms planning for efficient crisis response

We have found many large corporates opting for the entry-level service to comply with regulatory requirements, but also because they recognise the limitations of their own internal sign-off processes. In many large businesses, contracts can take up to ten days to gain approval. In the event of a data breach, firms cannot afford to wait for a crisis-response contract to be approved, since any delays in tackling the breach will exacerbate financial, reputational and operational damage. The Experian Response Aware service gives these firms a pre-signed crisis-response contract that be actioned immediately following a data breach, without further sign-off delays.

There is a legal duty to notify the ICO within 72 hours if personal data has been compromised. Organisations that fail to inform customers promptly and mount an effective recovery process, face further fines and lack of preparedness is not looked on favourably by regulators. Consumers also want to know quickly if their personal data has been breached and our own independent crisis response research found that 53% of consumers would file a complaint if an organisation handles a crisis poorly, and 42% would move their custom elsewhere.

Aside from achieving regulatory compliance and assuring stakeholders of readiness to deal with a data breach, having a pre-engagement agreement in place can also help lower insurance premiums. The largest claims following any cyber-attack are usually for business interruption. Anything a firm can do to reduce disruption to their business following a cyber-incident is therefore likely to be viewed favourably by insurers.

Assess consumer-response readiness

With the arrival of DORA and similar regulations, lawyers, insurers and other business advisers are now instructing clients that having a pre-breach agreement in place is a good first step – to reinforce resilience and ensure they are ready to respond if the worst happens.

Beyond this, many firms are being advised to carry out desktop scenario exercises to assess how they would deliver a consumer-notification programme following an incident. Such desktop exercises can help firms understand their level of preparedness for a consumer response. It’s already common to carry out such scenarios for IT resilience and disaster-recovery. Conducting a consumer-response desktop scenario can help companies gauge what further support they may need, and whether they have the resources available to mount an effective response.

Regulations aim to protect consumers and data

The ultimate aim of all cybersecurity regulations worldwide is to protect the rights and data of consumers. Firms can strengthen their compliance by protecting consumer data and ensuring it is not exposed to risk. If data is breached, firms must be able to demonstrate they have effective mechanisms in place to support those impacted, respond effectively and restore data quickly.

Recent regulatory pressures have highlighted the value of pre-breach crisis-response services, helping firms introduce pre-emptive measures to protect and reassure customers and stakeholders – and satisfy the regulators.