Cyber attacks carry hidden business impacts and costs
Companies can suffer below-the-surface ramifications of a breach for years
By Roger Yu, ThirdCertainty
Most company senior executives and board members have no clue how to gauge the full scope of financial trauma engendered by a major network breach.
How does one calculate the value of lost trust of customers who take their patronage elsewhere after a well-publicized cyber attack, for instance?
Lost future sales generally are not accounted for in calculating cyber attack costs. A lack of planning for such variables potentially could cost companies significantly more in recovery, according to a report from consultancy Deloitte, titled “Beneath the surface of a cyberattack.”
Likening cyber attacks to gigantic icebergs with a body mass hidden largely below the surface, the report says as much as 95 percent of the financial impact in breaches are “hidden or less visible costs.”
Hidden costs may include cybersecurity insurance premium increases, lost contract revenue, loss of intellectual property, lost customers, business disruption, devaluation of trade name, and increased cost to raise debt.
“There was something missing from the conversation and dialogue,” says Emily Mossburg of Deloitte & Touche’s Cyber Risk Services. “Most of the conversation focuses on those things associated with loss of personal data and loss of financial account information. Those things are important, but there are a lot of other things that happen in an organization.”
Setting up common defensive efforts—VPN, two-factor authentication, etc.—are now accepted enterprise practices. Companies have learned to budget these preventative measures and other triage and post-attack actions, such as paying for customer credit reports, attorney fees, hiring a PR firm, cybersecurity improvements, customer notification, investigation and regulatory compliance efforts.
Such “above-the-surface” costs are talked about openly among executives and are easier to estimate. “The idea that cyber attacks are increasingly likely—and perhaps inevitable—is beginning to take hold among executives and boards,” the report says.
To be sure, losing client data and customer information are costly, but they are damages that need to be remediated quickly. With industrywide discussions about developing better financial modeling for lost data, companies now find it easier to calculate a “cost per record” for consumer data breaches.
Costs involved in triage responses to a cyber attack typically account for less than 10 percent of total recovery costs, the report says. “Impact management,” including responding to complaints and securing customers’ credit can take another year or two.
But below-the-surface costs often play out longer and make financial modeling difficult, Mossburg says. Business recovery, which may include having to find new customers to make up for lost relationships, can take three to five years.
And what about the cost of a merger and acquisition partner walking away in the middle of a multibillion-dollar deal because the target company lost confidential M&A documents to hackers? What is the value of a three-year strategic road map for a company that’s about to embark on a turnaround plan?
Deloitte says one large health care company with $60 billion in annual revenue lost $1.6 billion after a breach of patient records. Only about 3.5 percent of it can be attributed to “above-the-surface” costs. Rising insurance premiums, contract revenue, and lost customers accounted for much of the total loss.
Some of the below-the-surface costs may not even be covered by cybersecurity insurance. “People weren’t focusing on putting energy behind things that cause the most damage,” Mossburg says.
To widen understanding of post-attack spending needs, companies should consider “peanut butter spreading” of their cybersecurity budgets and “change the lens with which they look at their cyber programs,” Mossburg says. “Are you spending the right way? Should we be prioritizing our efforts differently?” she says.
Companies may want to consider “scenario modeling” to assess how they would react and where the hidden costs may arise, she says. Prioritizing the most important assets—and studying the threats to them—may trigger costs areas that weren’t previously considered.
As cyber attacks intensify and extend to new attack surfaces, taking shape with the rise of cloud computing, mobile computing, and the Internet of Things, companies need to rethink cyber risk mitigation. Assessing the threat-level environment where the valued assets reside may render new ideas on how to protect them, Mossburg says.
“It’s not just one or two years. (A cyber attack) plays out three to five years in the future,” she says.
More stories related to cyber attack costs:
Companies tap into cyber insurance to manage business risk
Verizon, Ponemon differ on best way to measure data breach costs
As cyber attack surface expands, consumers and companies face more risk than ever