Deloitte Advisory, a provider of cyber risk advisory services, released: “Beneath the surface of a cyberattack: A deeper look at business impacts,” a risk-based report outlining the depth, and duration of cyber incidents in financial terms, according to a press release from Deloitte.
“Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet. An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the cyber risk postures that they need,” said Emily Mossburg, principal, Deloitte & Touche LLP, and Resilient Practice leader for Deloitte Advisory Cyber Risk Services. “This report is an effort to help leaders broaden their thinking on the potential consequences of a cyber incident. With a fuller picture of what may be at stake, they can better shape cyber risk programs to protect their organizations’ strategic interests, and ultimately improve the organization’s ability to thrive in the face of cyberattacks.”
The report notes 14 business impacts of a cyber incident, including:
Above the surface: well-known cyber incident costs
- Customer breach notifications
- Post-breach customer protection
- Regulatory compliance (fines)
- Public relations/crisis communications
- Attorney fees and litigation
- Cybersecurity improvements
- Technical investigations
Below the surface: hidden or less visible costs
- Insurance premium increases
- Increased cost to raise debt
- Operational disruption or destruction
- Lost value of customer relationships
- Value of lost contract revenue
- Devaluation of trade name
- Loss of intellectual property (IP)
The press release notes Deloitte’s study reveals that:
- The direct costs commonly associated with data breaches are far less significant than the “hidden” costs. In Deloitte’s scenarios, these account for less than five percent of the total business impact.
- The time horizon over which impact is felt is far more protracted than is often anticipated. In Deloitte’s scenarios, costs incurred during the initial triage stage of incident response account for less than 10% of the rippling impacts extending over a five-year period.
- Over 90% of cyberattack impact is likely to accrue in categories that are intangible. Given that these are less studied and more difficult to quantify, organizations can be caught especially unprepared for these “costs” in areas such as operational disruption, impact to trade name and loss of intellectual property.