Tackling data breach risks requires perpetual planning

The fallout from a data breach can have real staying power, be it a hit to the affected organization’s reputation or a class action lawsuit brought by customers whose data was leaked.

With these risks in mind, organizational leaders must perpetually review their data security controls and processes—because an annual review simply isn’t enough, according to finance and cybersecurity experts.

The risk of a data breach is “not just the short-term operational disruption,” Judson Dressler, head of cyber insurance and risk management firm Resilience’s Risk Operations Center, told CFO Brew recently. “It’s really the long-tail financial reputational exposure. It’s litigation, regulatory investigations, customer notification requirements, it’s reputation and PR to contain that.”

“The cost of not prioritizing [data security] is your brand, it’s your credibility—and those things are priceless,” Angela Lee, CFO of real-time data platform Hydrolix, told us.

Hydrolix collects data from its customers that could include personally identifiable information or intellectual property, according to its CISO, Joshua Scott. “It’s customer data; we want to ensure that we’re treating it as the most sensitive and protected thing that we have within the environment,” Scott told us.

At Hydrolix, leadership reports on cybersecurity matters about once per quarter to the board of directors, according to Scott. But executives also meet multiple times a week to discuss various issues—and cybersecurity is brought up “probably once a week at least,” he said.

“Everybody’s constantly hyper aware of what’s out there and what we need to be doing,” Scott said.

A changed landscape. Cybercriminals, aware of the long-term risks companies face from a data breach, are adjusting their tactics from purely encrypting data to data exfiltration and suppression—stealing companies’ data to sell on the black market or demand a ransom in exchange for not making the data public.

Munich-based insurance giant Allianz noted in a report from September that 40% of the value of its first-half 2025 cyber claims included data theft, up from one-quarter of claims in all of 2024. Losses from incidents that included data theft “were more than double the value of those without,” the Allianz report concluded.

Michael Burke, a partner at law firm DarrowEverett, said he sees data privacy cases from two sources: class-action lawsuits brought on by consumers, and B2B disputes that involve claims like breach of contract or negligence following a data breach. The consumer-based cases in particular have “heated up over the last year,” Burke said.

His advice to organizations facing legal risks related to data storage: “Just simply disclaiming damages in a contract isn’t going to protect you.”

“If you’re a vendor, and you’re storing or protecting someone else’s data on their behalf, and you’re a custodian of data, you want to make sure your contract very clearly lays out what you’re responsible for and what you’re not responsible for,” Burke said.

Crucial decision-making. Lee said it’s difficult to quantify financial risks associated with reputational damage following a data breach incident. Instead, Hydrolix determines the level of insurance coverage it needs in part by contractual requirements with its customers. But it also considers whether it needs additional protection by benchmarking against its peers.

That’s where its relationship with insurance brokers comes into play. “The more that everybody involved in this is understanding your business,” Lee said, “the more that they can look out for you and stay on top of things.”

Scott said he also leans on CISO peer networks to stay on top of evolving threats and gather information on what others are doing to protect themselves. “When you’re in a group of 500 CISOs who are experiencing these kind of things, they’re bound to share, because we do like to talk,” he said.

The dream works. And those aforementioned frequent C-suite discussions on cybersecurity strategy? They help determine where Hydrolix needs to adjust its security investments, according to Scott.

“That’s when [Lee] and I work together, along with some of the other executives, on determining what are those next budget items…that we need to invest in to enhance the platform, add additional controls, or even pursue another compliance program,” he said.

Lee said flexibility is key in an evolving threat landscape, especially one disrupted by AI technology.

“We’re in constant planning, and it’s not just set once a year,” she said. “It’s an evolving landscape, but we have a lot of built-in flexibility…If this is a top priority for us, we’ll make room for it.”