Calculating the Overlooked Costs of Cyber Incidents
When executives consider the financial impacts of cyber incidents, they tend to focus on the short-term. There’s so much to do in the immediate aftermath of an attack — mobilizing an incident response team, coordinating crisis communications, hiring outside legal counsel, the list goes on and on. However, these kinds of commonly understood costs are often just the tip of the iceberg. Lurking beneath the surface is a vast ocean of “hidden” costs that are all too easy to overlook. The C-Suite is so busy scrambling to “stop the bleeding” that they don’t take time to consider the long-term financial impacts of cyber incidents.
According to a Deloitte study, costs related to triage response in the immediate aftermath of a cyber attack typically account for less than 10 percent of total recovery costs. As much as 95 percent of the financial impact of breaches are less visible costs, which can extend over many years. Making matters worse, some of these below-the-surface costs cannot be covered by cybersecurity insurance.
Adopting An Effective Framework: The FAIR Model
The concept of hidden costs is particularly problematic from a business perspective. In order to successfully manage cyber risk, you need to be able to measure it. But how are you supposed to measure something that purportedly can’t be quantified?
Fortunately, contrary to popular belief, cyber risk is not a nebulous concept. Impacts can be quantified. The key is adopting an effective framework for understanding, measuring, and analyzing cyber risks, such as Factor Analysis of Information Risk (FAIR). By using a quantitative model like FAIR, business executives can put a specific price on their cyber liabilities — converting complex forms of risk into dollars and cents — and manage them accordingly.
The FAIR framework separates cyber risk costs into six “forms of loss” (FOL) categories:
- Productivity: Loss that results from an operational inability to deliver products or services
- Response: Loss associated with the costs of managing an event
- Replacement: Loss that results from an organization having to replace capital assets
- Competitive Advantage: Losses resulting from intellectual property or other key competitive differentiators that are compromised or damaged
- Fines and Judgements: Fines or judgments levied against the organization through civil, criminal, or contractual actions
- Reputation: Loss resulting from an external stakeholder perspective that an organization's value has decreased and/or that its liability has increased
Within each of these FOL buckets, the FAIR model further divides financial impacts into two loss categories: primary loss and secondary loss. Primary losses are costs incurred directly as a result of the threat action against the asset. Secondary losses are costs incurred as a result of the fallout/retaliation of secondary stakeholders in reaction to the primary event.
So, for instance, let’s look at response costs. Primary loss would include things like hiring an incident response team and conducting forensic investigations, while secondary losses would include things like customer notification costs and credit monitoring.
Commonly Overlooked Costs
So what are some commonly overlooked costs? Let’s explore a couple of examples, using the FAIR framework as a guide.
- Productivity: Cyber attacks are, by their very nature, disruptive. Cyber incidents can result in operational downtime, resulting in lost revenue. But they can also divert organizational resources. Managers are forced to focus on the crisis at hand, rather than working on other important institutional priorities.
- Response: Executives tend to focus on immediate response costs, such as hiring a crisis communications or computer forensics firm. Yet response costs can play out over a much longer time horizon. For instance, as part of a legal settlement agreement, your company could be ordered to pay for credit monitoring services for your customers —which can last for years.
- Replacement: Cyber attacks can damage and destroy all kinds of devices. The essential ones will need to be repaired or replaced immediately. However, the damage could extend far beyond a single device. Intrusions can be enterprise-wide, spreading to thousands of interconnected systems. This can require the reconfiguration of entire networks.
- Competitive advantage: During a cyber crisis, it’s easy to lose sight of the big picture. You’re so busy trying to secure devices and systems that you overlook the things that are the very essence of your enterprise: your competitive advantage. Competitive advantage includes things like intellectual property and trade secrets. These assets are sometimes referred to as “crown jewels” — assets that, if compromised, would be detrimental to your business operations and cause crippling financial losses to your company. Crown jewels are the secret sauce that separates your organization from everybody else. Given their financial and strategic significance, you need to prioritize your defense efforts around these assets.
- Fines and judgements: Breached businesses often face huge, headline making fines and costly class action lawsuits. Yet executives often don’t realize just how far their legal liability extends. Your company can be sued or penalized by a number of stakeholders (customers, vendors, business partners, etc.) and face fines from numerous state and federal regulatory agencies.
- Reputation: Organizations live and die by their reputation. And few things can batter a business’s reputation like a major breach. People want to know that the products and platforms they use are keeping their data is safe and secure. Cyber breaches can spark concern among your customers, causing them to discontinue their relationship with your organization. But keep in mind that your reputation not only affects your company’s relationship with customers but also impacts your relationship with other businesses. After experiencing a cyber incident, your company is considered a riskier investment for insurance companies and banks. As such, your cyber insurance premiums are likely to increase. According to a Deloitte study, following a cyber incident, it is not unusual for a policyholder to face a 200 percent increase in premiums for the same coverage. Similarly, victim organizations typically experience a drop in their credit-rating that can result in higher interest rates when borrowing money or renegotiating existing debt.