Cyber risk: Counting the cost

It can take months or even years to realise the full cost of a cyber-attack – and some firms may never recover.

facebook : http://www.facebook.com/sharer/sharer.php?u=https://www.ft.com/paidpost/aon/cyber-risk-counting-the-cost.html
linkedin: https://www.linkedin.com/shareArticle?mini=true&url=https://www.ft.com/paidpost/aon/cyber-risk-counting-the-cost.html&title=Cyber+risk%3A+Counting+the+cost&summary=It+can+take+months+or+even+years+to+realise+the+full+cost+of+a+cyber-attack+%E2%80%93+and+some+firms+may+never+recover.+&source=@ft_content
Twitter: http://twitter.com/share?url=https://www.ft.com/paidpost/aon/cyber-risk-counting-the-cost.html&text=Cyber+risk%3A+Counting+the+cost&related=ftcompanies&via=ft_content

When businesses are hit by a cyber-attack, the financial losses can be crippling – from immediate crisis expenses and regulatory fines to longer-term, knock-on costs such as those related to reputational damage, a fall in share price or downgrading of their credit rating.

Not if, but when

The prospect of a cyber-security incident is not a matter of if, but of when. More than half of EU firms surveyed for a Kaspersky Lab report released in March 2019 had experienced a cyber-attack in the previous two years.1

"For us, cyber is not a theoretical risk. It’s probably the most real and vivid risk that we think about, knowing first-hand what the implications are when the risk becomes real,” says Andrew Darwin, Global Co-Chairman & Senior Partner at DLA Piper

Regulation with teeth: GDPR raises the stakes

 

For us, cyber is not a theoretical risk. It's probably the most real and vivid risk that we think about, knowing first-hand what the implications are when the risk becomes real.

Andrew Darwin, DLA Piper
Global Co-Chairman & Senior Partner

Since the introduction of GDPR in May 2018, organisations have received a series of heavyweight fines. In July, it was announced that British Airways is facing a £183m fine from the ICO following a data breach it suffered in 2018.2 In the same month, the UK’s data security watchdog announced its intention to fine Marriott International £99.2m following a data breach last year, which led to the exposure of approximately 339 million customers’ personal details.3

“This is regulation with teeth. The size of the fines levied is a direct function of what companies did ahead of time to protect themselves, and what steps they took afterwards, and how swiftly, to mitigate harm,” says Dr Deborah Pretty, Founding Director of Pentland Analytics.

Business, interrupted

Beyond loss of customer information and fines by the regulators, there is another serious cost of a cyber-attack: business interruption. The chaos caused by an attack can stop the business from trading or disrupt core operations for a period, which affects sales and revenue.

There are a range of costs directly related to a cyber-incident: fines, legal, communication and litigation, to name a few. Yet the most expensive cost of a breach, in most cases, is not being able to do your business

Onno Janssen
Aon, CEO Risk Consulting & Cyber Solutions EMEA

The NotPetya ransomware attack of 2017 brought companies across the globe to a standstill, costing billions of dollars in lost revenue.

Global shipping firm A.P. Moller-Maersk was one of the many businesses affected. The company stated in its annual report that the effect on its profitability was US$ 250-300 million. 4

Norsk Hydro, meanwhile, was brought to its knees in March 2019 by a cyber-attack that paralysed its computer networks. The resulting production shutdown cost the aluminium and energy company an estimated $51 million in the first quarter of 2019 alone. 5

The snowball effect

Even if executives can get to grips with the upfront costs of a cyber-incident, the full cost will not be understood until much later. Post-attack, businesses may have to embark on a long and costly journey to understand the full scope of its financial impact, not to mention regain brand loyalty and repair reputational damage.

“Reputation is an intangible asset that sits very firmly on many top companies’ balance sheets and, correspondingly, their incident response plans.” says Elizabeth Queen, Vice President of Risk Management at Wolters Kluwer.

Figure 1. The impact of cyber-attacks on shareholder value post-event

The high-profile TalkTalk data breach in 2015 caused huge reputational issues for the firm: not only had the personal details of 156,959 customers been compromised, but the attack also cut trading revenue by over $20 million and led to the loss of 101,000 customers.6 By the end of the first year following the attack, one-third of the company’s market value – about $1.4 billion – had been wiped out7. Four years later, the stock market valuation is still well below the level of the 2015 data breach.

Figure 2. TalkTalk share price tumbles post-attack

Credit risk: The unexpected consequence

There is another significant financial penalty that companies might not see coming: a credit-rating downgrade.

The 2017 Equifax data breach caused significant financial losses for the company following the exposure of at least 147.9 million pieces of personal data.

But the breach was also ground-breaking for another reason: it was the first time an organisation’s credit-rating outlook was affected by a cyber-attack. In May 2019, Moody’s revised its outlook for Equifax from ‘stable’ to ‘negative’.

Equifax’s downgrade was the first, but it will not be the last. Moody’s is in the process of integrating cyber risk assessment into its credit ratings process, so businesses will have to be ready for more and more scrutiny of their cyber assessment practices – and be ready for any breach to affect their credit rating.8

Towards cyber resilience

Counting the cost of a cyber-attack is not straightforward. Firms have to understand not only the initial effects of an attack – lost data, crisis expenses and regulatory fines – but also the cost of business interruption and the knock-on consequences of reputational damage. An attack can have financial ramifications for years after the event, and some firms may never recover.

When responding to the threat, there is no one-size-fits-all approach or quick-fix solution. The C-suite must prepare in advance by building resilience from within.

1 Kaspersky Lab financial cyberthreats report: Users attacked by banking Trojans hit nearly 900,000 in 2018, Kaspersky, March 2019

2 Intention to fine British Airways £183.39m under GDPR for data breach, Information Commissioner’s Office, July 2019

3 Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, Information Commissioner’s Office, July 2019

4 2017 Annual Report, Maersk, 2017

5 Operational and market update, first quarter 2019, Hydro, 2019

6 ‘When Crisis and Technology Collide: Protecting reputation in the digital age’, Pentland Analytics & Aon, 2018

7 ‘When Crisis and Technology Collide: Protecting reputation in the digital age’, Pentland Analytics & Aon, 2018

8 Equifax Credit rating, Moody’s, 2019