Business impacts of cyber attacks
Forensic Foresight: July 2016
Cyber security, once a buzz word, is increasingly being taken more seriously by leaders due the wide reaching impacts of breaches, in what can be a very short space of time. Our Cyber Security and Forensic teams have joined forces to bring to life the impacts of a cyber attack in the global report “Beneath the surface of a cyber attack”.
Although cybersecurity is one of the most urgent issues of our time, the resulting impact of a cyber incident is still largely unproven. Recognising the need of business leaders to have clarity around the enterprise-wide effect of such events, our US colleagues in Deloitte Advisory have released: “Beneath the surface of a cyberattack: A deeper look at business impacts,” a risk-based report outlining the depth and duration of cyber incidents in financial terms.
“Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet. An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the cyber risk postures that they need,” said Emily Mossburg, principal, Deloitte & Touche LLP, and resilient practice leader for Deloitte Advisory cyber risk services. “This report is an effort to help leaders broaden their thinking on the potential consequences of a cyber incident. With a fuller picture of what may be at stake, they can better shape cyber risk programs to protect their organisations’ strategic interests, and ultimately improve the organisation’s ability to thrive in the face of cyberattacks.”
“Beneath the surface of a cyberattack” was created by Deloitte Advisory’s cyber risk practice in tandem with the organisation’s leading forensic and investigations, and business valuation services. Looking at two samples cyberattack scenarios, the report demonstrates a model to quantify potential damage, and identifies 14 business impacts of a cyber incident as they play out over a five-year incident response process. The scenarios illustrate some of the many ways a cyberattack can unfold and both clearly illustrate that the road to business recovery can be far more drawn out, more complex and more costly than imagined.
The business Impacts
Above the surface
Below the surface
well-known cyber incident costs
hidden or less visible costs
“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organisation,” commented Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte forensic. “Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”
Deloitte’s study reveals that:
- The direct costs commonly associated with data breaches are far less significant than the “hidden” costs. In Deloitte’s scenarios, these account for less than 5 percent of the total business impact
- The time horizon over which impact is felt is far more protracted than is often anticipated. In Deloitte’s scenarios, costs incurred during the initial triage stage of incident response account for less than 10 percent of the rippling impacts extending over a five-year period
- Over 90 percent of cyberattack impact is likely to accrue in categories that are intangible. Given that these are less studied and more difficult to quantify, organisations can be caught especially unprepared for these “costs” in areas such as operational disruption, impact to trade name and loss of intellectual property.
“The ability to quantify intangible damages is especially important in anticipating business impact. In many cases, an approach based on tallying actual recovery costs that hit the balance sheet would paint a significantly distorted picture of the cost to business performance,” added Hector Calzada, a managing director in Deloitte Advisory’s business valuation services.
Deloitte Advisory’s cyber risk services has worked with more than a thousand clients globally in the last 12 months across all industry sectors, providing a distinct perspective on what happens in the preparation for and the response to a broad array of cyber incidents. The findings of Deloitte Advisory’s “Beneath the surface of a cyberattack” report create opportunities for executives who not only understand the technical dimensions of cyber, but also have a deep understanding of how business value is created — and destroyed. Cyber risk is complicated and requires multidisciplinary approaches and the ability to integrate business strategy, operations and technology.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.
About Deloitte Australia
In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms, and winner of both the Australian Financial Review/CFO Audit Firm of the Year and Accounting Firm of the Year awards 2013, Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. Formore information, please visit Deloitte’s web site at www.deloitte.com.au.
Liability limited by a scheme approved under Professional Standards Legislation.
Member of Deloitte Touche Tohmatsu Limited
© 2016 Deloitte Touche Tohmatsu