Post Show: Exhibitor Report
This blog was provided by Moss Adams
The 6 Intangible Costs of a Cyberbreach
One of the most important components of managing cyber-risk is prevention. Some organizations, however, sometimes fail to realize that data breaches can cost more than just lost data or access to systems.
The consequences of a cyberbreach can affect various business relationships—insurance companies, banking institutions, investors, or potential buyers, for example. The implications of those intangible costs often mean companies must adhere to criteria that helps them evaluate the security of companies.
There’s no right or wrong way to secure an organization. Each solution should be unique to the structure of the company, the audience you serve, and the type of data you manage. The goal is to strengthen your technology infrastructure to build confidence in your business.
The consequences of a cyberbreach can affect various business relationships—insurance companies, banking institutions, investors, or potential buyers, for example.
What Are the Financial Costs of a Data Breach?
The average cost of a data breach is $3.86 million, which is a conservative number, according to the Ponemon Institute. Some breaches go unreported because companies don’t want to damage their reputation or lose client trust.
The average life cycle of a breach is 280 days, from identification to containment. During that time, there are costs an organization needs to account for.
Costs of a Data Breach
Associated costs of a breach can include:
• Paying off hackers
• Replacing hardware and software
• Decreased revenue from lost clients
• Increased costs of employees brought in to mitigate the damage
The timeline below demonstrates not only the immediate impact of a data breach, but also its far-reaching consequences and ways it could continue to affect your organization over much longer periods than you initially anticipate.
Lifecycle of a Data Breach
What Are the Intangible Costs of a Data Breach?
There are six main intangible costs to a data breach:
1. Reputational loss
2. Operational impairments
3. Bank loan covenants
4. Vendor liability
5. Insurance premiums
6. Buyers and investors
How Is Reputation Loss Affected by a Data Breach?
For all companies dealing with personal data, a public breach means an immediate loss of reputation and client confidence.
While large brands who are household names often get a lot of attention from the public and media, smaller companies can also face the same negative consequences when they expose client information to attackers.
Customers may feel violated and opt to do business with a competitor instead. They may also share their negative experience with your company with their network, posting about your breach on social media and leaving reviews of your company on public channels.
Lost clients aren’t the only risk. An episode of the IT Pro Podcast explored the ramifications of the 2014 Sony Pictures hack, which revealed information on actor compensation as well as some damning internal emails that led to loss of jobs and damaged public reputations of individuals at the company.
How Does a Data Breach Impair Business Operations?
While cyberattacks are costly to both the revenue and reputation of an organization, it can also impact businesses as usual, preventing or hindering core operations.
Some notable examples of ransomware disrupting businesses, including the JBS and Colonial Pipeline attacks, took days or weeks to resume operations back to the normal level.
In June 2021, JBS, the world’s largest beef supplier and meat processing company, was a victim of a Russian cyberattack. The attack caused operations in 13 of JBS’s processing plants across three countries to stand still.
The company reportedly paid $11 million in Bitcoin to the attackers once back online to prevent a future attack and protect customer well-being.
Colonial Pipeline Attack
In May 2021, Colonia Pipeline, the largest supplier of gas on the eastern coast of the United States, discovered malware on its systems.
On May 7, pipeline operations halted, impacting customers who had to wait hours to fill-up their tanks, if they were able to find gas at all. The disruption lasted until May 17, when full operations were restored.
The breach cost the company $4.4 million in Bitcoin. Company leadership resorted to hiring a consultant to negotiate with the attackers.
How Does a Data Breach Affect Bank Loan Covenants?
In the past, banks would ask businesses for a copy of the balance sheet, financials, and quarterly projections.
In an increasingly digital and virtual world, financial institutions are considering plans to incorporate requirements to obtain an organization’s cyberattack plans and any investment in cyberattack insurance.
Banks and other depository institutions will evaluate their customer base. Based on risk assessment—the nature and volume of customer data held by a business, for example—the institution will assess the level of requirement as to any cybersecurity-related covenants. The requirements will largely depend on the nature of the borrower’s business.
Commercial business loans obtained from businesses that deal with large amounts of customer data will generally be the focus of a financial institution’s requirement for cyberattack plans and proof of cyberattack insurance. While cyberattack insurance isn’t mandatory, that does seem to be the direction banks are headed.
Consider the following example. You’re a small business that’s hit by a breach. You ask the bank to loan you money to mitigate the costs. It doesn’t impact the bank, but it does impact you.
How Does a Data Breach Affect Vendor Liability?
With so many organizations relying on third-party service providers to handle employee and customer data, it’s important to be aware of your liabilities as an organization.
Vendors are increasingly limiting their liability during contract negotiations, which leaves your company responsible if a breach with your vendor releases medical data, payment details, or other personally identifiable information of your employees and customers.
Some new laws, such as the California Consumer Privacy Act passed in 2020, make it possible for victims to file lawsuits for damages. In most cases, however, the entity responsible for controlling the data is primarily the one liable.
How Does a Data Breach Affect Insurance Premiums?Companies are subject to greater underwriting scrutiny and ultimately increased premiums as attackers become more innovative and their attacks more sophisticated. This trend is anticipated to continue.
When it comes to cyber liability insurance, it’s important to understand the connection between controls, insurance companies, and underwriters when determining cost—and how solid cybersecurity policies could bolster your banking relationships, which can potentially lower your cyber liability premium.
A US Government Accountability Office (GAO) report on Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market revealed that more frequent and severe cyberattacks resulted in increased demand for cybersecurity coverage and higher insurer costs. In a survey of insurance brokers, more than half of respondents’ clients saw prices go up 10%–30% in late 2020.