As large-scale instances of data theft — including theft of credit card records and personally identifiable information (PII) — are becoming more frequent, corporate executives and financial leaders are giving greater attention to the “cost” of cyber breaches.
Are they looking at the breach, which typically categorizes data theft, or are they addressing “cost” as it relates to the entirety of the impact of a cyber incident to the enterprise?
Cyber incidents are becoming so widespread that some of the associated costs are fairly well anticipated, and are increasingly accepted as part of the risk of doing business. Direct costs can include those associated with customer notification, post-breach assurance programs, regulatory fines, public relations, technical analysis and remediation, and litigation, to name a few of the obvious.
Recognizing the growing cyber threat landscape, many finance and risk officers are responding by increasing budget allocations for IT security programs and investing in cyber insurance. While these commitments may be necessary to improve protection against certain kinds of losses, if made in the absence of a more comprehensive cyber risk program, they can leave an organization unwittingly exposed to far more consequential financial damage. Leaders need to think more broadly about cyber risk and consider the true intent behind a potential cyber incident, and understand that theft of data may not be the most damaging impact. Operational destruction and organizational disruption may be significantly more impactful than data theft alone.
Even in the case of a fairly typical breach of electronic health records, PII or payment data, the impact of a cyber incident can ripple over months and years in ways that often don’t reach public discourse, extending the time horizon of impact and recovery. A recent study by Deloitte identifies some cost factors that many companies are often unprepared for:
Closer Compliance Scrutiny. Beyond fines tied to the immediate incident, a breach can trigger larger investigations that often lead to evidence of further violations, and more fines and remediation expense.
Higher Cyber Insurance Premiums
Companies that have experienced a publicly disclosed breach are likely to face higher future premiums, whether for first-time coverage or renewal.
Waves of PR and Legal Costs. The full ramifications of a cyber incident may take time to surface. A duration of a breach can also impact some of the organization’s most valued assets, its brand and reputation. Legal fees and litigation can span months and years post-incident.
For example, theft of PII could, months later, be associated with cases of identity theft, triggering new rounds of litigation.
Increased Cost to Raise Debt. In the Deloitte study, a comparison of companies that had, and had not, suffered cyber breaches suggests that on average, a breach causes a full-level downgrade in credit rating. When the study was conducted, the interest rate for a 10 year, A-rated U.S. corporate bond averaged 3.44 percent, with BBB pegged at 4.13 percent. In this case, being downgraded from A to BBB would subject the company to an additional $3.6 million in interest over the lifespan of a $100 million project.
Impacts to Customer Retention, Cost of Sales, and Revenue. Depending on the nature of the business, loss in customer or market confidence can have a range of consequences over time, and ultimately, significant impact to the bottom line. Price reductions may be necessary to retain clients or customers. Consider the potential impact to third-party contracts or negotiating power with vendors. Significant reputation damage might negatively impact sales, causing either loss of revenue or extending the duration and cost of a sales cycle.
The Worst Attack May Not Be a Data Breach
Theft of customer or consumer data can be very serious, and public dialog about cyber threats tends to be shaped primarily by what’s in the news, and particularly by what organizations are required to report. While it’s important to consider the reverberating costs of data breaches, it is arguably even more important to widen the lens on the potential scope of impact a cyber incident can have across an organization.
Without considering the full range of what could cause harm, organizations could be unprepared for potentially far more serious financial and business performance impact. A growing number of cyber incidents are designed to cause significant operational disruption or damage to a company’s market position. These can take a variety of forms, garnering a wide range of potentially catastrophic impacts:
Theft of intellectual property (IP): Because few companies would want to publicly reveal an instance of IP theft, it is impossible to know precisely how many companies have been victims to date, but awareness of the risk is growing. The May 2015 Cyber Survey by the Risk & Insurance Management Society (RIMS) indicates nearly 45 percent of respondents named theft of trade secrets or IP as a first-party cyber exposure.
Attempts to disrupt operations: Recent issues of the Monitor newsletter published by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team document a clear rise in the number of attacks targeting industrial control systems in the energy industry – only one small window into how “Internet of Things” devices can introduce risks to manufacturing processes, transportation system, or other critical infrastructure services.
Fraud: In 2013, the financial services industry was struck broadly by a series of “denial of service” attacks aimed not at stealing data, per se, but causing widespread disruption, and in some cases possibly creating a distraction from activity aimed at committing fraud and manipulating transaction records.
The costs and financial implications associated with these types of attacks, of course, are highly variable, depending on the industry and specific business in question. But it is not difficult to imagine potentially catastrophic outcomes. When millions are invested in efforts to bring a new drug to market, theft of its formula or manufacturing process could be devastating to major revenue streams for years. Imagine disruption to critical infrastructure that could threaten public safety and have devastating consequences. Tampering with financial data could quickly cause significant volatility in global markets. Damage to data, applications, systems, or equipment could disrupt revenue-generating business operations for far longer than expected, necessitating significant investment in interim capabilities, and detracting resources from other critical areas.
The Link Between Cyber Risk and Business Performance
The point of highlighting this wider array of potential impacts and cost factors is not to foment fear — or even to make the case that more funding should be dedicated to cybersecurity programs. The point is that a major cyber incident significantly impacts business performance and should be considered as a full-blown component of the enterprise risk program, not merely as a line item in the corporate budget.
Cyber incidents are not necessarily more dangerous today because the attackers are more fierce and determined than they once were, but the capacity to do great harm is simply more achievable via our networked lives. Cyber risk is a byproduct of innovation. The very things organizations do to drive efficiencies, improve service, grow and compete are the same things that invite risk. The digital connections that have been developed to improve distribution of power and water, create goods, streamline commerce, operate public infrastructure, provide entertainment, deliver better healthcare, transact global commerce, and maintain social ties are the same connections that can be leveraged by cyber criminals or terrorists to cause massive harm in hours or days.
Leaders must ask the right questions to manage risk intelligently, and along the right vectors: people, process, technology, governance and policy. They must also anticipate the next generation of solutions and capabilities they’ll need to meet an ever-changing set of challenges.
Cyber risk is created not only by the introduction of new technologies, but through any initiative that changes who and what connects to corporate resources, and how. This includes mergers and acquisitions, consolidation or expansion activity, the development of new relationships with buyers and partners, product development initiatives, and supply chain and distribution models. In today’s complex, connected ecosystems, new vulnerabilities are created as fast as old ones are addressed.
Many high-performing companies are in a process of adjusting to the reality that an element of cyber risk is always present. While reasonable efforts need to be taken to secure the business, innovation cannot be quelled just because it cannot be perfectly secured. Managing cyber risk is a perpetual effort and should be seen as positive investment integral to strategic initiatives, and a cornerstone of an organization’s strategy and success.
Effective cyber risk programs help organizations be secure, vigilant and resilient. In addition to implementing risk-prioritized security controls to prevent what can be prevented, they establish threat awareness and visibility to monitor and detect when a compromise is in progress, and build the preparedness posture needed to respond rapidly and with purpose, and ultimately recover resiliently when a cyber incident occurs.
Five Steps for Finance Executives
Adopting a risk-based approach to cyber incidents involves broad collaboration across the executive suite and throughout the organization as a whole. As guardians of the organization’s fiscal health and performance, finance executives have a critical role in ensuring the protection of the company’s most valuable assets (however a company defines those).
First, require that proposals for major initiatives address cyber risk. They should include a realistic assessment of how the proposed activity or project will impact the organization’s cyber risk exposure, how a cyber breach could impact the success of the initiative, and a sound plan to fund the likely costs of any necessary cybersecurity investments.
Second, support the integration of cyber risk into strategic planning by working with risk officers to develop models that account for likely impact and associated cost in the event of an incident. This will help senior executives make better-informed decisions on risk appetite and mitigation investments.
Third, scrutinize requests for cybersecurity funding with the perspective that investments should be aligned directly to the company’s top business risks. Ask how business leaders were involved in shaping the budget, and what new corporate initiatives it is designed to accommodate. Ask how the proposed budget balances not only the need to prevent cyber attacks, but to also detect and respond to them.
Fourth, reexamine the function of insurance as part of the cyber risk program. Cyber insurance may be a very important mechanism to defray business impact of an incident, so make sure decisions about policy inclusions are made with a well-rounded view of the company’s broad cyber risk profile, and that expectations are clear about how much risk is actually being transferred.
Fifth, seek involvement in cyber incident response practice drills and simulations. Most organizations have cyber incident response plans, but they may not often rehearse them or involve critical business leaders. Cyber wargaming and simulation events can help instill deeper understanding of how cyber incidents may unfold and the associated impact on the business. They are a powerful catalyst for discussion among senior leaders about cyber risk exposure.
While CFOs are rarely appointed to lead a cybersecurity program, finance leaders may be best positioned to establish executive awareness of the connection between cyber risk and business performance, thereby acting as important agents of change.
Emily Mossburg is a principal at Deloitte & Touche LLP and Resilient practice leader – Deloitte Advisory Cyber Risk Services.