The Hidden Costs Of A Data Breach

Much of the business discussion around cybersecurity relates to protection of key assets such as customer information and intellectual property, often after the news that another company has suffered a large data breach. While strengthening defenses against cyber-attackers is important, companies also must be prepared to handle the reputational and financial hits that a cyber incident can produce for years down the road.

Cybersecurity has the attention of CFOs and other decision-makers. And for good reason: The average cost of a data breach has risen 29% since 2013, to about $4 million per incident, according to an annual report from IBM and Ponemon Institute. And a 2015 survey of US finance decision-makers shows that organizations are increasing spending on cybersecurity.

A new report by Deloitte addresses issues that go beyond data protection, pointing out the hidden costs that go along with responding once a cyberattack has occurred.

"The conversation has been a technical one to date. It's focused on the vulnerabilities, and the threats and the adversaries out there," said Emily Mossburg, principal in Deloitte & Touche LLP's cyber-risk practice and a report author. "Much of what is talked about is the number of records that were compromised: Social Security numbers and financial account information. That's important, but that was sort of where the conversation was ending."

Cyber readiness, the Deloitte report said, is not just about what happens after an attack. In other words, it is far more involved than following through on a six-week or six-month incident response plan with technology upgrades and planned communication with customers and other stakeholders.

The report lists 14 impact factors of a cyberattack, including seven classified as "beneath the surface" and having less visible costs:

Insurance premium increases: A company might need to buy or renew its cybersecurity insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies. Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defenses. Insurers could cite any number of issues with a company in the aftermath of a data breach, Mossburg said, citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors. Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.

Increased cost to raise debt: Perception becomes reality when an organization has suffered a cyberattack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said. The corporate credit rating of U.S. retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyberattack. While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+." Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.

Impact of operational disruption or destruction: Any disruption of normal business operations will have financial repercussions. Resources from one part of a company could be diverted to other parts in the wake of a data breach. If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.

Lost value of customer relationships: If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later. In the case of Target, S&P said in March 2014: "We expect the data breach to have a somewhat lingering effect on customer traffic at least through the first half of fiscal 2014."

Value of lost contract revenue: Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyberattack. A company may have built cost increases for services into its financial models, Mossburg said, so those models must be recalculated in the event of a data breach. The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."

Devaluation of trade name: If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach. And a company such as a retailer obviously must rebuild brand loyalty after a data breach. "Now that this has happened, that relationship has been damaged, and companies have to start over in that investment process," Mossburg said.

Loss of intellectual property: This can be the most crippling effect for a company that suffers a data breach. The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost. "If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organization faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.

JournalOfAccountancy: http://bit.ly/2ahQE0f

« Cyber War In Kashmir
London Police Chief Says Spy Agencies Face Terror Fight »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

Mitek Systems

Mitek Systems

Mitek's global mobile capture and identity verification technology optimizes the digital user experience for thousands of financial services organizations.

National Authority for Electronic Certification and Cyber Security (AKCESK)

National Authority for Electronic Certification and Cyber Security (AKCESK)

AKCESK ensures security for trusted services, in particular reliability and security in electronic transactions between citizens, businesses and public authorities.

Seekurity

Seekurity

Seekurity is an information security consulting firm specialized in all areas of Cyber Security including Penetration Testing, Vulnerability Assessments and Risk Management.

AFNOR Group

AFNOR Group

AFNOR Group designs and deploys solutions based on voluntary standards around the world and provides services including training, professional and technical information, assessment and certification.

Industrial Cybersecurity Center (CCI)

Industrial Cybersecurity Center (CCI)

CCI is the first center of its kind that comes from industry without subsidies, independent and non-profit, to promote and contribute to the improvement of Industrial Cybersecurity.

In-Sec-M

In-Sec-M

In-Sec-M is a non-profit organization that brings together companies, learning and research institutions, and government actors to increase competitiveness of the Canadian cybersecurity industry.

Technology Innovation & Startup Centre (TISC)

Technology Innovation & Startup Centre (TISC)

TISC is a startup incubator at the Indian Institute of Technology Jodhpur (IITJ) and we back deep-tech startups.

Periculus

Periculus

Periculus makes managing digital risk simple. Its integrated platform offers access to purchase cyber insurance and cyber security solutions uniquely tailored to fit the needs of every business.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

KSOC Labs

KSOC Labs

KSOC is an event-driven SaaS platform built to automatically remediate Kubernetes security risks.

AutoRABIT

AutoRABIT

AutoRABIT provides DevSecOps tools built specifically for Salesforce developers to increase release velocity, produce consistently high-quality code, and enhance data security.

AI Spera

AI Spera

AI-Driven Cyber Threat Intelligence Security. AI Spera provides real-time intelligence to empower your security competences in all aspects of the business.

Next DLP

Next DLP

Next DLP (formerly Jazz Networks) is a leading provider of insider risk and data protection solutions.

Yokai

Yokai

Yokai is a secure, distributed platform for data communication with enhanced security features tailored for classified environments such as finance, defence, healthcare, cybersecurity, and more.