Beneath the surface of a cyberattack
A deeper look at business impacts
Although cybersecurity is one of the most urgent issues of our time, the resulting impact of a cyber incident is still largely hidden. Becoming aware of this provides executives with the opportunity to create value by better managing those types of impact that have greatest financial impact. In our analysis, we consider 14 different impact factors, 7 of which appear “below the surface”.
Maarten van Wieren - 12 July 2016
Earlier in 2016, we quantified the expected and worst-case value impact from cyberattacks for the largest sectors in The Netherlands. We already mentioned that a large part of the 10 billion euro expected impact was relating to value impact that is generally not (publicly) reported. Much the same is the case for the impact from a worst case scenario, where an individual organization could experience up to eighteen times higher losses than expected. See Cyber Value-at-Risk in The Netherlands for this earlier report.
Behind the scenes: challenging business performance
In our new report we examine the less obvious ways in which value may be impacted by a cyberattack. To exemplify how this could work out in practice, we analyze two fictitious companies that suffer different scenarios of a cyberattack on their most valuable information asset. Scenario A concerns a large health insurance company (part of the Insurance Sector in our previous study) that suffers a cyberattack on their Privacy-related information asset. Scenario B concerns a large Technology firm (part of the Technology and Electronics Sector in our previous study) that suffers a cyberattack on their Intellectual property information asset.
14 business impacts of a cyber incident
We take a behind-the-scenes look at how the value impact would accumulate for these two Scenarios, by estimating 14 categories of potential damage. “Above the surface” are direct costs commonly associated with data breaches and in many cases account for only a relatively small portion of the value impact. “Beneath the surface” are potential impacts that are less commonly recognized and hardly visible to the public eye. Most of these concern intangible costs that are more uncertain with a longer term impact, including damage to trade name, loss of intellectual property, or costs associated with operational disruption.
This provides a more detailed perspective on the nature of the value impact that underlies the Expected Value Loss and Cyber Value at Risk of our earlier report. In this way we clarify the (longer term) financial impact from a cyberattack and thus the associated cyber value at risk, including the significant part which may go unnoticed beneath the surface.
- The direct costs commonly associated with data breaches are far less significant than the “hidden” costs. In the scenarios we analyzed, the direct costs account for less than 5 percent of the total business value impact.
- The time horizon over which impact is felt is far more protracted than is often anticipated. In the scenarios, costs incurred during the initial triage stage of incident response account for less than 10 percent of the rippling impacts extending over a five-year period.
- Over 90 percent of cyberattack impact is likely to accrue in categories that are intangible. Given that these are less studied and more difficult to quantify, organizations can be caught especially unprepared for these “costs” in areas such as operational disruption, impact to trade name and loss of intellectual property.
Create value out of cyber risks
The findings create opportunities for executives who not only understand the technical dimensions of cyber, but also have a deep understanding of how business value is created — and destroyed. Cyber risk is complicated and requires multidisciplinary approaches and the ability to integrate business strategy, operations and technology.
Prepared with a more realistic understanding of the potential impact of a cyberattack, executives can invest in risk-focused programs to be more secure, vigilant, and resilient, and gain greater confidence in their organization’s ability to thrive, even in the face of a cyber crisis.
More information on cyber risk
Want to learn more on getting a clear perspective on cyber risk? Please contact Maarten van Wieren at +31 (0)682019225.