The Hidden Costs Of A Data Breach

Much of the business discussion around cybersecurity relates to protection of key assets such as customer information and intellectual property, often after the news that another company has suffered a large data breach. While strengthening defenses against cyber-attackers is important, companies also must be prepared to handle the reputational and financial hits that a cyber incident can produce for years down the road.

Cybersecurity has the attention of CFOs and other decision-makers. And for good reason: The average cost of a data breach has risen 29% since 2013, to about $4 million per incident, according to an annual report from IBM and Ponemon Institute. And a 2015 survey of US finance decision-makers shows that organizations are increasing spending on cybersecurity.

A new report by Deloitte addresses issues that go beyond data protection, pointing out the hidden costs that go along with responding once a cyberattack has occurred.

"The conversation has been a technical one to date. It's focused on the vulnerabilities, and the threats and the adversaries out there," said Emily Mossburg, principal in Deloitte & Touche LLP's cyber-risk practice and a report author. "Much of what is talked about is the number of records that were compromised: Social Security numbers and financial account information. That's important, but that was sort of where the conversation was ending."

Cyber readiness, the Deloitte report said, is not just about what happens after an attack. In other words, it is far more involved than following through on a six-week or six-month incident response plan with technology upgrades and planned communication with customers and other stakeholders.

The report lists 14 impact factors of a cyberattack, including seven classified as "beneath the surface" and having less visible costs:

Insurance premium increases: A company might need to buy or renew its cybersecurity insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies. Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defenses. Insurers could cite any number of issues with a company in the aftermath of a data breach, Mossburg said, citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors. Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.

Increased cost to raise debt: Perception becomes reality when an organization has suffered a cyberattack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said. The corporate credit rating of U.S. retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyberattack. While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+." Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.

Impact of operational disruption or destruction: Any disruption of normal business operations will have financial repercussions. Resources from one part of a company could be diverted to other parts in the wake of a data breach. If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.

Lost value of customer relationships: If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later. In the case of Target, S&P said in March 2014: "We expect the data breach to have a somewhat lingering effect on customer traffic at least through the first half of fiscal 2014."

Value of lost contract revenue: Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyberattack. A company may have built cost increases for services into its financial models, Mossburg said, so those models must be recalculated in the event of a data breach. The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."

Devaluation of trade name: If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach. And a company such as a retailer obviously must rebuild brand loyalty after a data breach. "Now that this has happened, that relationship has been damaged, and companies have to start over in that investment process," Mossburg said.

Loss of intellectual property: This can be the most crippling effect for a company that suffers a data breach. The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost. "If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organization faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.

JournalOfAccountancy: http://bit.ly/2ahQE0f

« Cyber War In Kashmir
London Police Chief Says Spy Agencies Face Terror Fight »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

QNAP Systems

QNAP Systems

QNAP Systems, Inc. delivers world class network attached storage (NAS) and network video recorder (NVR) solutions.

Hewlett Packard Enterprise (HPE)

Hewlett Packard Enterprise (HPE)

HPE is an information technology company focused on Enterprise networking, Services and Support.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

Modux

Modux

Modux focus on a number of core competencies across cyber security including; cyber intelligence & analytics, penetration testing and training.

SteelCloud

SteelCloud

SteelCloud has spent the last decade inventing technology to automate policy compliance, configuration control, and Cloud security.

Ritz

Ritz

Ritz is the largest holistic pure-play cyber security solutions provider in Myanmar.

Dutch Innovation Park

Dutch Innovation Park

Dutch Innovation Park in Zoetermeer is a breeding ground for applied IT solutions in the field of cyber security, e-health, smart mobility and big data.

Bitcrack

Bitcrack

Bitcrack Cyber Security helps your company understand and defend your threat landscape using our key experience and skills in cybersecurity, threat mitigation and risk.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

Cytenna

Cytenna

Cytenna Signal is a suite of SaaS (Software-as-a-Service) products that use AI and machine learning to automatically aggregate the latest information about software vulnerabilities.

Intersistemi Italia

Intersistemi Italia

Intersistemi is a leading Italian company in the field of information technology integration and digital transformation including cybersecurity.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

iomart Group

iomart Group

iomart is a cloud computing and IT managed services business providing secure hybrid cloud, network connectivity, data management, and digital workplace capability.

Foghorn Consulting

Foghorn Consulting

Foghorn can analyze your cloud to enhance performance and security, while reducing costs. Based on AWS’ 6 Pillars, our AWS WAFR Certified Engineers Will Identify Areas of Improvement.