Deloitte finds “hidden” costs can amount to 90 percent of the total business impact on an organization, and will most likely be experienced two years or more after the event.
Few would dispute that cyber attacks are increasing in frequency and in intensity, and most organizations confirm they have now suffered at least one cyber incident. But do those organizations have a true sense of the full impact on the organization? After all, the direct costs commonly associated with a data breach are far less significant than the “hidden costs” incurred.
Indeed, the “hidden” costs can amount to 90 percent of the total business impact on an organization, and will most likely be experienced two years or more after the event. These are among the findings of a recent study by Deloitte Advisory entitled, “Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts.”
Deloitte identifies 14 business impacts of a cyber attack, which are categorized as “above the surface” or well-known incident costs, and “below the surface” or hidden or less visible costs. There are seven impacts in each category.
“Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet,” notes Emily Mossburg, a principal with Deloitte & Touche LLP and resilient practice leader for Deloitte Advisory cyber risk services. “An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the risk postures that they need.”
“Much of the conversation has been focused on what vulnerabilities exist and the technology impact,” Mossburg continues. “The focus seems to be focused very narrowly on the breach notification element and the post-breach protection mechanisms that need to be in place, but the broad impact seemed to be ignored.”
Deloitte analysts set out to get the broader picture of a cyberattack.
An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the risk postures that they need. – Emily Mossburg, a principal with Deloitte & Touche
“We thought this was being under-estimated. What we didn’t expect was how much of the true impact was beneath the surface and hasn’t been part of everyday discussion of cyber incidents today,” Mossberg explains.
To illustrate all of the impacts of a cyber attack, the Deloitte study presents two fictitious case studies and assigns dollar loss amounts to each factor over a five-year period. The 14 business impacts are broken down as:
Above the surface, or well-known cyber incident costs
- Customer breach notifications
- Post-breach customer protection
- Regulatory compliance (fines)
- Public relations/crises communications
- Attorney fees and litigation
- Cybersecurity improvements
- Technical investigations
Below the surface, or hidden or less visible costs
- Insurance premium increases
- Increased cost to raise the debt
- Operational disruption
- Lost value of customer relationships
- Value of lost contract revenue
- Devaluation of trade name
- Loss of intellectual property (IP)
Of all of the above impact areas, perhaps the most significant is operational disruption.
“Each organization is unique in terms of the impact, but across industries, there are common critical areas. For example, in retail credit card data is most important. In healthcare, PIN (personally identifiable information). And with manufacturers, intellectual property loss can have the greatest impact. However, often the most under-estimated significant impact across organizations is business disruption,” notes Erik Thomas, president and principal consultant at EMT Consulting, and a member of the SIM cybersecurity group.
“Depending on the timing and duration, this can have broad ramifications in financial penalties, lost revenues, borrowing costs, customer service, brand perception, and future opportunities,” Thomas says.
Darren Van Booven, the chief information security officer at the Idaho National Laboratory, agrees.
“The most significant tangible impact is the one which will be felt first, and that is the economic cost of incident response,” Van Booven notes. “The act of containing and responding to the attack, investigation into any resulting breach, public relations, compliance fines, credit monitoring services, and expenses on the back end to harden defenses in a way such that the attack can’t be easily repeated. For moderate to large organizations, this can easily amount to millions of dollars in expenses.”
But then there are those intangible costs, which Van Booven says “are dependent on a variety of factors, such as the organization’s industry, size, and the nature of the incident. Impacts can include loss in your ability to protect information adequately, which may result in a different customer reaction in the financial sector than in wholesale manufacturing.”
“These costs may be harder to measure, but can also really add up if investors, customers, or key business partners reach strongly to an event,” Van Booven explains.
Zulfikar Ramzan, chief technology officer at RSA, comes up with five areas of greatest impact from a cyber attack: business continuity impact, intellectual property theft, loss of sensitive data like a customer as well as employee information, regulatory compliance implications, and loss of reputation.
“Depending on the organization and the specific market vertical they are in, different items will bubble up to the top of the list,” Ramzan says. “Some of these areas, like business continuity impact, are easier to quantify. On the other hand, it can be more difficult to attach a dollar amount to some of the other areas, like reputation loss and intellectual property theft.”
Cost of impacts
But that didn’t stop Deloitte analysts from trying. In their report, they created two representative companies that experienced cyber attacks and affixed cost values to all impacts.
One example involved a healthcare organization that suffers a data breach when the company learns that a laptop containing 2.8 million of its personal health information (PHI) records had been stolen from the company’s healthcare analytics software vendor. Based on all 14 impact factors, the total cost of the breach was determined to be $1,679 million. That broken down as follows:
Above the surface
- Customer breach notifications = six months, at a cost of $10 million (0.6 percent of the total)
- Post-breach customer protection = three years, at a cost of $21 million (1.25 percent of the total)
- Regulatory compliance = $2 million over a two-year period (0.12 percent of the total)
- Public relations/crisis communications = $1 million over the first year (0.06 percent of the total)
- Attorney fees and litigation = five years at a cost of $10 million (0.6 percent of the total)
- Cybersecurity improvements = $14 during the first year (0.83 percent of the total)
- Technical investigations = six weeks at a cost of $1 million (0.06 percent of the total)
Beneath the surface
- Insurance premium costs = $40 million over three years (2.38 percent of the total)
- Increased cost to raise debt = $60 million (3.57 percent of the total)
- Operational disruption = $30 million (1.79 percent of the total)
- Lost value of customer relationships = $430 million over a three year period (25.61 percent of the total)
- Value of lost contract revenue = $830 million over three years (49.43 percent of the total)
- Devaluation of trade name = $230 million loss over five years (13.7 percent of the total)
- Loss of intellectual property = No dollar value was affixed here
So what is an organization to do to protect against all this potential loss? Mossberg recommends four areas to focus on.
“Ultimately we would look at four different areas of the organization to determine what they should do to improve, “Mossberg explains. “First and foremost, we’d look at the program elements – their strategy, their governance, their policies, their procedures, their framework, and are there any gaps related to their overall programs that would need to be fixed.”
“Secondly we look at their proactive security controls and posture – do they have the things in place to protect the data that they have, the systems that they have, the environment that they have, and most importantly, the business that they have?” Mossberg says.
“Third we’d look at what they have in place to understand and monitor their environment on an ongoing basis,” Mossberg says. “Do they have the appropriate tools to log the activities that are happening within their systems, and do they have the appropriate analytics in place to analyze what’s happening that is outside of the normal.”
“Lastly, are they prepared to respond? Are they resilient?” Mossberg poses. “Do they have in place the processes to respond to an incident. Have they tested those processes and plans? And do they know – right up through the executive management team — who they need to communicate those things to?”