Cyber attacks carry hidden business impacts and costs

Companies can suffer below-the-surface ramifications of a breach for years

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Most com­pa­ny senior exec­u­tives and board mem­bers have no clue how to gauge the full scope of finan­cial trau­ma engen­dered by a major net­work breach.

How does one cal­cu­late the val­ue of lost trust of cus­tomers who take their patron­age else­where after a well-pub­li­cized cyber attack, for instance?

Lost future sales gen­er­al­ly are not account­ed for in cal­cu­lat­ing cyber attack costs. A lack of plan­ning for such vari­ables poten­tial­ly could cost com­pa­nies sig­nif­i­cant­ly more in recov­ery, accord­ing to a report from con­sul­tan­cy Deloitte, titled “Beneath the sur­face of a cyberattack.”

Liken­ing cyber attacks to gigan­tic ice­bergs with a body mass hid­den large­ly below the sur­face, the report says as much as 95 per­cent of the finan­cial impact in breach­es are “hid­den or less vis­i­ble costs.”

Hid­den costs may include cyber­se­cu­ri­ty insur­ance pre­mi­um increas­es, lost con­tract rev­enue, loss of intel­lec­tu­al prop­er­ty, lost cus­tomers, busi­ness dis­rup­tion, deval­u­a­tion of trade name, and increased cost to raise debt.

There was some­thing miss­ing from the con­ver­sa­tion and dia­logue,” says Emi­ly Moss­burg of Deloitte & Touche’s Cyber Risk Ser­vices. “Most of the con­ver­sa­tion focus­es on those things asso­ci­at­ed with loss of per­son­al data and loss of finan­cial account infor­ma­tion. Those things are impor­tant, but there are a lot of oth­er things that hap­pen in an organization.”

Set­ting up com­mon defen­sive efforts—VPN, two-fac­tor authen­ti­ca­tion, etc.—are now accept­ed enter­prise prac­tices. Com­pa­nies have learned to bud­get these pre­ven­ta­tive mea­sures and oth­er triage and post-attack actions, such as pay­ing for cus­tomer cred­it reports, attor­ney fees, hir­ing a PR firm, cyber­se­cu­ri­ty improve­ments, cus­tomer noti­fi­ca­tion, inves­ti­ga­tion and reg­u­la­to­ry com­pli­ance efforts.

Such “above-the-sur­face” costs are talked about open­ly among exec­u­tives and are eas­i­er to esti­mate. “The idea that cyber attacks are increas­ing­ly likely—and per­haps inevitable—is begin­ning to take hold among exec­u­tives and boards,” the report says.

To be sure, los­ing client data and cus­tomer infor­ma­tion are cost­ly, but they are dam­ages that need to be reme­di­at­ed quick­ly. With indus­try­wide dis­cus­sions about devel­op­ing bet­ter finan­cial mod­el­ing for lost data, com­pa­nies now find it eas­i­er to cal­cu­late a “cost per record” for con­sumer data breaches.

Costs involved in triage respons­es to a cyber attack typ­i­cal­ly account for less than 10 per­cent of total recov­ery costs, the report says. “Impact man­age­ment,” includ­ing respond­ing to com­plaints and secur­ing cus­tomers’ cred­it can take anoth­er year or two.

Emily Mossburg, Deloitte & Touche Cyber Risk Services advisory principal
Emi­ly Moss­burg, Deloitte & Touche Cyber Risk Ser­vices advi­so­ry principal

But below-the-sur­face costs often play out longer and make finan­cial mod­el­ing dif­fi­cult, Moss­burg says. Busi­ness recov­ery, which may include hav­ing to find new cus­tomers to make up for lost rela­tion­ships, can take three to five years.

And what about the cost of a merg­er and acqui­si­tion part­ner walk­ing away in the mid­dle of a multi­bil­lion-dol­lar deal because the tar­get com­pa­ny lost con­fi­den­tial M&A doc­u­ments to hack­ers? What is the val­ue of a three-year strate­gic road map for a com­pa­ny that’s about to embark on a turn­around plan?

Deloitte says one large health care com­pa­ny with $60 bil­lion in annu­al rev­enue lost $1.6 bil­lion after a breach of patient records. Only about 3.5 per­cent of it can be attrib­uted to “above-the-sur­face” costs. Ris­ing insur­ance pre­mi­ums, con­tract rev­enue, and lost cus­tomers account­ed for much of the total loss.

Some of the below-the-sur­face costs may not even be cov­ered by cyber­se­cu­ri­ty insur­ance. “Peo­ple weren’t focus­ing on putting ener­gy behind things that cause the most dam­age,” Moss­burg says.

To widen under­stand­ing of post-attack spend­ing needs, com­pa­nies should con­sid­er “peanut but­ter spread­ing” of their cyber­se­cu­ri­ty bud­gets and “change the lens with which they look at their cyber pro­grams,” Moss­burg says. “Are you spend­ing the right way? Should we be pri­or­i­tiz­ing our efforts dif­fer­ent­ly?” she says.

Com­pa­nies may want to con­sid­er “sce­nario mod­el­ing” to assess how they would react and where the hid­den costs may arise, she says. Pri­or­i­tiz­ing the most impor­tant assets—and study­ing the threats to them—may trig­ger costs areas that weren’t pre­vi­ous­ly considered.

As cyber attacks inten­si­fy and extend to new attack sur­faces, tak­ing shape with the rise of cloud com­put­ing, mobile com­put­ing, and the Inter­net of Things, com­pa­nies need to rethink cyber risk mit­i­ga­tion. Assess­ing the threat-lev­el envi­ron­ment where the val­ued assets reside may ren­der new ideas on how to pro­tect them, Moss­burg says.

It’s not just one or two years. (A cyber attack) plays out three to five years in the future,” she says.

More sto­ries relat­ed to cyber attack costs:
Com­pa­nies tap into cyber insur­ance to man­age busi­ness risk
Ver­i­zon, Ponemon dif­fer on best way to mea­sure data breach costs
As cyber attack sur­face expands, con­sumers and com­pa­nies face more risk than ever