Data Governance and Cyber Risk: Why Data Sprawl Is the Hidden Liability – NEW PODCAST

by

Estimated reading time: 7 minutes

Data governance has become one of the most critical and overlooked components of cybersecurity and cyber insurance risk management. Organizations invest heavily in preventing intrusions, but far fewer pay attention to what happens after attackers get in.

Breaches are bound to happen. The real cost depends on how much data, how sensitive it is, and where it is stored. Old files, duplicate records, forgotten databases, and weak permissions can make incidents much worse. As Josh Mason, CTO of RecordPoint, says in the latest Cyber Insurance News and Information Podcast, the biggest risk is often the data organizations do not realize they still have.

Mason talks about how data sprawl, weak policies, and unchecked AI use increase cyber risks. He also shares ways organizations can lower their risk.

Data governance podcast graphic for Cyber Insurance News explaining how data governance reduces cyber insurance risk and cuts cyber breach blast radius. Podcast guest is Josh Mason RecordPoint CTO

Understanding Cybersecurity Breaches

Most organizations try to keep attackers out. But Mason points out that the bigger risk is what intruders find once they get in.

Unclassified data, duplicate records, and poorly organized storage make it hard to know what was accessed during an incident. If organizations cannot quickly figure this out, response times slow down and costs go up.

For cyber insurers and risk managers, a breach is often just the start. The real risk comes from notification rules, legal issues, and not knowing how many records were affected.

Why Data Governance Matters

Data governance means understanding, managing, and controlling an organization’s information.

At its core, it involves four key elements:

  • Knowing where data exists
  • Classifying what type of data it is
  • Controlling access to sensitive information
  • Disposing of data when it no longer has value

Without good governance, organizations build up large amounts of unmanaged data. Mason calls this a hidden liability.

The Impact of Data Sprawl

It is now easy to store information forever, but this convenience has led to massive data sprawl.

Files get copied to different systems, saved in backups, and left behind on old platforms. Sometimes, organizations only find sensitive data like Social Security numbers or customer records when they investigate a breach.

This leads to much more severe breaches. The more data attackers can reach, the bigger the legal, financial, and reputational problems.

Immediate Steps to Reduce Risk

Mason suggests a simple first step for organizations worried about cyber risk: delete data you do not need.

See also  Did This Illinois Town Learn Its Lesson After Cyber Scam That Cost Over $400,000? 

Cutting down on stored data is one of the few ways to permanently reduce the impact of a breach.

Practical first steps include:

  • Identifying systems most likely to contain sensitive data
  • Deleting files that have not been accessed in years
  • Eliminating redundant or duplicate records
  • Applying retention policies consistently

Even small efforts to reduce data can greatly limit the damage from an incident.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

AI’s Growing Role in Data Management

Artificial intelligence brings both new benefits and new risks to data governance. AI tools can help classify documents, find sensitive information, and automate tasks across large datasets. But using AI platforms quickly has also created new risks.
Employees sometimes upload confidential financial reports into generative AI tools. They may also paste company code into unauthorized chatbots. Those tools can store the information outside the company. Others may access that stored data. This situation increases the risk of exposure.

Many employees now use personal AI accounts or tools that are not approved. If they put sensitive information into these systems, it might be stored, logged, or even used to train AI models, which could expose confidential data outside the company.

Without clear rules, AI can make data sprawl worse and increase the risk from third parties.

Cyber Insurance and the Need for Proof

Insurers and underwriters now focus less on written policies. They look for proof that organizations enforce those policies. This shift reflects a growing emphasis on verified controls and real-world compliance.

Organizations increasingly must demonstrate that governance policies are actually working. That includes:

  • Logs showing retention and deletion activity
  • Evidence of data classification coverage
  • Documentation of access controls and audits
  • Tracking metrics that measure how quickly teams assess sensitive data exposure during a breach.

In short, it is not enough to say you have governance. Organizations must prove it.

Practical Data Governance Strategies

Mason recommends a focused approach for organizations beginning their governance journey:

  1. Inventory all systems that contain organizational data.
  2. Identify where sensitive information resides.
  3. Restrict access to high-risk data sources.
  4. Implement defensible deletion policies.
  5. Track enforcement through logs and audit trails

These steps help organizations go beyond just having policies and actually reduce risk in a measurable way.

See also  How to Understand & Improve Cyber Insurance Markets: Swiss Re Report 

The Human Factor in Cyber Resilience

Technology by itself cannot solve the data governance problem.

Everyone in an organization handles sensitive information every day. Training, awareness, and clear rules are key to preventing accidental leaks, especially as AI tools become part of daily work.

Mason points out that cyber resilience needs ongoing education, regular testing, and constant improvement.

Why Data Governance Is Now a Board-Level Issue

The financial impact of data sprawl is now too big to ignore.

Organizations should act now by finding, reducing, and managing their data responsibly. This can quickly lower their risk and improve cybersecurity.

Boards, risk managers, and cyber insurers should make data governance a top priority for cybersecurity and risk management. Take clear steps now to put data controls in place and show they are enforced across all parts of the business.

Take control of your data now to keep your organization resilient. Start building strong data governance today before hidden risks turn into a crisis.

ALSO GET THE PODCAST AT THESE LINKS

Apple

Spotify

Amazon

Episode Transcript – Josh Mason RecordPoint CTO – This has been checked for accuracy, but confirm elements against the recording to be sure
martin-hintons-studio_business-interruption-mar-05-2026-001Download

Episode FAQ Josh Mason RecordPoint CTO

What is “data governance” in plain English?

Data governance is how an organization finds, understands, controls, and safely disposes of data. It includes knowing where data lives, classifying it, limiting access, and enforcing retention and deletion rules.

Why does data sprawl make cyber breaches worse?

Because when attackers get in, they often find years of duplicated, forgotten, or unclassified data. That increases the odds of sensitive exposure and makes it harder to determine what was accessed, driving up cost and liability.

What’s the biggest mistake companies make when thinking about breaches?

They focus only on preventing entry. Mason’s point is: breaches will happen, so the real question becomes what the attacker can reach and how fast you can scope the damage.

What does “defensible deletion” mean?

It means deleting data with proof. You keep audit logs or certificates showing what was deleted and when, so you can demonstrate policy enforcement later in litigation or regulatory review.

How do permissions and access controls become a liability issue?

If sensitive data is broadly accessible through shared links, over-permissioned folders, or weak access reviews, then a single compromised credential can expose far more data. That becomes a breach scope, third-party, and legal liability problem.

How can AI help data governance?

AI can speed up data classification at scale, scanning large volumes of content to identify sensitive data, assign categories, and support faster risk decisions that humans can’t do manually across billions of files.

How can AI harm data governance?

Employees may paste sensitive information into personal or unsanctioned AI tools, creating data leakage and third-party exposure. Mason also flags growing risk from AI tool ecosystems that can route data to additional external services.

What should cyber insurers or underwriters ask to evaluate governance maturity?

Three practical questions show maturity fast:
Can you show logs of enforcement (retention/deletion/access reviews)?
What percentage of sensitive data is classified?
How quickly can you scope sensitive data exposure during an incident—days or months?

What’s one metric a board should ask for quarterly?

Mason’s pick: “What percentage of sensitive data is under active records management?” It forces clarity on inventory coverage, classification capability, and whether governance is real or just a policy document.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×