Cyberattacks have many adverse affects both physically and financially on any organization and the impacts vary on the nature and severity of the event.
CFO insights has recently released a report in which they have included seven costs which are not so apparent but are important in the calculation of total cost of a cyberattack.
While common perceptions of financial loss in a cyberattack include the loss of company by theft of personally identifiable information, payment data, and personal health information, discussions in this report focus on customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties.
Below the surface costs
Cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure have more significant impact on organizations than they seem and they often lead to additional costs which are more difficult to quantify and often hidden from public view.
In a recent Deloitte study, “Beneath the surface of a cyberattack: A deeper look at business impacts,” the report identified 14 business impacts of a cyber incident as they play out over a five-year incident response process. The direct costs commonly associated with data breaches accounted for less than 5% of the total business impact in these impacts.
1. Insurance premium increases
Insurance premium increases are the additional costs an insured entity might incur to purchase or renew cyber risk insurance policies following a cyber incident.
As not much data was available on premium increases after a cyberattack, Deloitte conducted its own informal research among providers of cyber insurance and found that it was common for policyholder to face 200% increase in premiums for the same coverage and at times even denied coverage until stringent conditions are met following a cyber incident.
The research found that future costs is influences vastly by willingness and depth of information provided by the policyholder upon review of the incident, the policyholder’s plans to improve incident handling or other aspects of its security program, anticipated litigation and assumptions concerning the company’s level of cybersecurity ‘maturity’.
2. Increased cost to raise debt
Cost to raise debt is directly proportional to credit rating. When credit rating drops, cost to raise debt increases. The victim’s organization faces higher interest rates for borrowed capital either when raising debt or when renegotiating existing debt. During the months when cyber incidents are prevalent, organizations are perceived as higher-risk burrowers. During the research Deloitte analysed the credit rating of nine public companies and observed an average Standard and Poor’s credit rating of ‘A’, and assessed these companies against companies that had recently suffered a cyber incident. The research came to the conclusion that a cyber attack incident downgraded the credit rating by one level.
3. Operational disruption or destruction
Impact of operational disruption or destruction includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities which includes need to repair equipment and facilities, build temporary infrastructure, divert resources from one part of the business to another or increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It could also include losses associated with the inability to deliver goods or services.
4. Lost value of customer relationships
Loss of customers immediately after a breach affects an organization adversely. Economists and marketing teams track the customer loss by attaching a “value” to each customer or member to quantify how much the business must invest to acquire that customer or member. Then the particular customer or member is analysed on the amount of revenue he will generate for the business over time. These numbers are then evaluated per industry and organization to take out an estimate of the investment needed to attract and acquire new customers.
5. Value of lost contract revenue
Value of lost contract revenue includes revenue and ultimate income loss, as well as lost future opportunity associated with contracts that are terminated due to a cyber incident. Deloitte estimated the value of the contracts in test cases both before and after the cyberattack was assessed. Following a cyberattack, if the company were to lose contracts, there would be a decrease in revenues. Then the present value of cash flows that the company would earn over the term of the contracts was determined.
6. Devaluation of trade name
Devaluation of trade name is cost category referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. While a brand name is associated with the name of a specific company or a specific product; a trade name relates to an organization as a whole. To determine the financial impact on the value of trade name, the likely value of the trade name both before and after the cyber incident has to be assessed. To value the trade name, Deloitte employed the relief-from-royalty method. The relief-from-royalty method, commonly used to value IP assets estimates the value by analyzing what another entity would have to pay to license the company’s trade name. Analysis involved establishing a reasonable “royalty fee” for similar types of IP, and the analysis of profit margins across the industries to which the text cases belong.
7. Loss of intellectual property
Loss of IP is cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information that can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. The value of IP is estimated by approximating how much another party would pay to license that IP.
CFO insights has recently released a report in which they have included seven costs which are not so apparent but are important in the calculation of total cost of a cyberattack.
While common perceptions of financial loss in a cyberattack include the loss of company by theft of personally identifiable information, payment data, and personal health information, discussions in this report focus on customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties.
Below the surface costs
Cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure have more significant impact on organizations than they seem and they often lead to additional costs which are more difficult to quantify and often hidden from public view.
In a recent Deloitte study, “Beneath the surface of a cyberattack: A deeper look at business impacts,” the report identified 14 business impacts of a cyber incident as they play out over a five-year incident response process. The direct costs commonly associated with data breaches accounted for less than 5% of the total business impact in these impacts.
1. Insurance premium increases
Insurance premium increases are the additional costs an insured entity might incur to purchase or renew cyber risk insurance policies following a cyber incident.
As not much data was available on premium increases after a cyberattack, Deloitte conducted its own informal research among providers of cyber insurance and found that it was common for policyholder to face 200% increase in premiums for the same coverage and at times even denied coverage until stringent conditions are met following a cyber incident.
The research found that future costs is influences vastly by willingness and depth of information provided by the policyholder upon review of the incident, the policyholder’s plans to improve incident handling or other aspects of its security program, anticipated litigation and assumptions concerning the company’s level of cybersecurity ‘maturity’.
2. Increased cost to raise debt
Cost to raise debt is directly proportional to credit rating. When credit rating drops, cost to raise debt increases. The victim’s organization faces higher interest rates for borrowed capital either when raising debt or when renegotiating existing debt. During the months when cyber incidents are prevalent, organizations are perceived as higher-risk burrowers. During the research Deloitte analysed the credit rating of nine public companies and observed an average Standard and Poor’s credit rating of ‘A’, and assessed these companies against companies that had recently suffered a cyber incident. The research came to the conclusion that a cyber attack incident downgraded the credit rating by one level.
3. Operational disruption or destruction
Impact of operational disruption or destruction includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities which includes need to repair equipment and facilities, build temporary infrastructure, divert resources from one part of the business to another or increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It could also include losses associated with the inability to deliver goods or services.
4. Lost value of customer relationships
Loss of customers immediately after a breach affects an organization adversely. Economists and marketing teams track the customer loss by attaching a “value” to each customer or member to quantify how much the business must invest to acquire that customer or member. Then the particular customer or member is analysed on the amount of revenue he will generate for the business over time. These numbers are then evaluated per industry and organization to take out an estimate of the investment needed to attract and acquire new customers.
5. Value of lost contract revenue
Value of lost contract revenue includes revenue and ultimate income loss, as well as lost future opportunity associated with contracts that are terminated due to a cyber incident. Deloitte estimated the value of the contracts in test cases both before and after the cyberattack was assessed. Following a cyberattack, if the company were to lose contracts, there would be a decrease in revenues. Then the present value of cash flows that the company would earn over the term of the contracts was determined.
6. Devaluation of trade name
Devaluation of trade name is cost category referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. While a brand name is associated with the name of a specific company or a specific product; a trade name relates to an organization as a whole. To determine the financial impact on the value of trade name, the likely value of the trade name both before and after the cyber incident has to be assessed. To value the trade name, Deloitte employed the relief-from-royalty method. The relief-from-royalty method, commonly used to value IP assets estimates the value by analyzing what another entity would have to pay to license the company’s trade name. Analysis involved establishing a reasonable “royalty fee” for similar types of IP, and the analysis of profit margins across the industries to which the text cases belong.
7. Loss of intellectual property
Loss of IP is cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information that can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. The value of IP is estimated by approximating how much another party would pay to license that IP.