Much of the business discussion around cyber-security relates to protection of key assets such as customer information and intellectual property, often after the news that another company has suffered a large data breach. While strengthening defences against cyber-attackers is important, companies also must be prepared to handle the reputational and financial hits that a cyber incident can produce for years down the road.
Cyber-security has the attention of CFOs and other decision-makers. And for good reason: The average cost of a data breach has risen 29% since 2013, to about $4 million per incident, according to an annual report from IBM and Ponemon Institute. And a 2015 survey of US finance decision-makers shows that organisations are increasing spending on cyber-security.
A new report by Deloitte addresses issues that go beyond data protection, pointing out the hidden costs that go along with responding once a cyber-attack has occurred.
"The conversation has been a technical one to date. It's focused on the vulnerabilities, and the threats and the adversaries out there," said Emily Mossburg, principal in Deloitte & Touche LLP's cyber risk practice and a report author. "Much of what is talked about is the number of records that were compromised: Social Security numbers and financial account information. That's important, but that was sort of where the conversation was ending."
Cyber readiness, the Deloitte report said, is not just about what happens after an attack. In other words, it is far more involved than following through on a six-week or six-month incident response plan with technology upgrades and planned communication with customers and other stakeholders.
The report lists 14 impact factors of a cyber-attack, including seven classified as "beneath the surface" and having less visible costs:
Insurance premium increases: A company might need to buy or renew its cyber-security insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies. Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defences. Insurers could cite any number of issues with a company in the aftermath of a data breach, Mossburg said, citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors. Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.
Increased cost to raise debt: Perception becomes reality when an organisation has suffered a cyber-attack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said. The corporate credit rating of US retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyber-attack. While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+". Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.
Impact of operational disruption or destruction: Any disruption of normal business operations will have financial repercussions. Resources from one part of a company could be diverted to other parts in the wake of a data breach. If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.
Lost value of customer relationships: If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later. In the case of Target, S&P said in March 2014: "We expect the data breach to have a somewhat lingering effect on customer traffic at least through the first half of fiscal 2014."
Value of lost contract revenue: Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyber-attack. A company may have built cost increases for services into its financial models, Mossburg said, so those models must be recalculated in the event of a data breach. The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."
Devaluation of trade name: If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach. And a company such as a retailer obviously must rebuild brand loyalty after a data breach. "Now that this has happened, that relationship has been damaged, and companies have to start over in that investment process," Mossburg said.
Loss of intellectual property: This can be the most crippling effect for a company that suffers a data breach. The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost. "If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organisation faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.
Related CGMA Magazine content:
- "Why CFOs Are Hiring More Consultants": US CFOs in 2015 were more likely than they were two years earlier to hire consultants for a variety of roles, according to a survey. Two former CFOs list some of the tasks that might be best suited for an outsider to perform.
- "Internal Auditors Challenged by Cyber-Security, Data Quality": Many internal audit departments are short on cyber-security expertise and lack involvement in evaluating the quality of the data used in their organisations.
—Neil Amato (firstname.lastname@example.org) is a CGMA Magazine senior editor.