The Hidden Costs Of A Data Breach

Much of the business discussion around cybersecurity relates to protection of key assets such as customer information and intellectual property, often after the news that another company has suffered a large data breach. While strengthening defenses against cyber-attackers is important, companies also must be prepared to handle the reputational and financial hits that a cyber incident can produce for years down the road.

Cybersecurity has the attention of CFOs and other decision-makers. And for good reason: The average cost of a data breach has risen 29% since 2013, to about $4 million per incident, according to an annual report from IBM and Ponemon Institute. And a 2015 survey of US finance decision-makers shows that organizations are increasing spending on cybersecurity.

A new report by Deloitte addresses issues that go beyond data protection, pointing out the hidden costs that go along with responding once a cyberattack has occurred.

"The conversation has been a technical one to date. It's focused on the vulnerabilities, and the threats and the adversaries out there," said Emily Mossburg, principal in Deloitte & Touche LLP's cyber-risk practice and a report author. "Much of what is talked about is the number of records that were compromised: Social Security numbers and financial account information. That's important, but that was sort of where the conversation was ending."

Cyber readiness, the Deloitte report said, is not just about what happens after an attack. In other words, it is far more involved than following through on a six-week or six-month incident response plan with technology upgrades and planned communication with customers and other stakeholders.

The report lists 14 impact factors of a cyberattack, including seven classified as "beneath the surface" and having less visible costs:

Insurance premium increases: A company might need to buy or renew its cybersecurity insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies. Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defenses. Insurers could cite any number of issues with a company in the aftermath of a data breach, Mossburg said, citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors. Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.

Increased cost to raise debt: Perception becomes reality when an organization has suffered a cyberattack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said. The corporate credit rating of U.S. retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyberattack. While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+." Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.

Impact of operational disruption or destruction: Any disruption of normal business operations will have financial repercussions. Resources from one part of a company could be diverted to other parts in the wake of a data breach. If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.

Lost value of customer relationships: If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later. In the case of Target, S&P said in March 2014: "We expect the data breach to have a somewhat lingering effect on customer traffic at least through the first half of fiscal 2014."

Value of lost contract revenue: Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyberattack. A company may have built cost increases for services into its financial models, Mossburg said, so those models must be recalculated in the event of a data breach. The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."

Devaluation of trade name: If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach. And a company such as a retailer obviously must rebuild brand loyalty after a data breach. "Now that this has happened, that relationship has been damaged, and companies have to start over in that investment process," Mossburg said.

Loss of intellectual property: This can be the most crippling effect for a company that suffers a data breach. The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost. "If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organization faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.

JournalOfAccountancy: http://bit.ly/2ahQE0f

« Cyber War In Kashmir
London Police Chief Says Spy Agencies Face Terror Fight »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

InfoSec People

InfoSec People

InfoSec People is a boutique cyber and technology recruitment consultancy, built by genuine experts.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Asoftnet

Asoftnet

Asoftnet are specialists in IT security, IT forensics, IT service, websites, applications and mobile solutions.

BrainChip

BrainChip

BrainChip is the leading provider of neuromorphic computing solutions, a type of artificial intelligence that is inspired by the biology of the human neuron - spiking neural networks.

Sky Data Vault

Sky Data Vault

Sky Data Vault provide the simplest and most cost effective method of Disaster Recovery / Business Continuity for mission critical systems and applications.

BicDroid

BicDroid

BicDroid is a world leader in data and cyber security with innovative solutions that protect your data anywhere, anytime, against everything.

Pelta Cyber Security

Pelta Cyber Security

Pelta Cyber Security is the cyber security consulting and solutions division of Softworld Inc. We provide staffing and recruitment services as well as consulting and solutions for outsourced projects.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

GuardYoo

GuardYoo

GuardYoo's SaaS platform allows cybersecurity professionals to perform Compromise Assessment remotely from anywhere in the world.

Securance Consulting

Securance Consulting

Since 2002, Securance has empowered enterprises to assume proactive security, compliance, and risk management strategies.

Anametric

Anametric

Anametric is developing new technologies and devices for chip scale quantum photonics, with a focus on cybersecurity.

Camelot Secure

Camelot Secure

Camelot Secure Secure360 platform is a holistic redefinition of what world-class cybersecurity strategies can be. Prepare. Protect. Deploy.

CyberEPQ

CyberEPQ

CyberEPQ (Cyber Extended Project Qualification) is the UK’s first and only Extended Project Qualification in Cyber Security.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.

Hydden

Hydden

Hydden gives security teams the ability to create a solid foundation to build a truly next-gen identity security practice by bridging the gaps between siloed teams and technologies.

Silicon Valley Cybersecurity Institute (SVCSI)

Silicon Valley Cybersecurity Institute (SVCSI)

SVCSI aims to investigate, develop, and promote technical excellence and the best security practices for dependable and secure systems and applications.