Deloitte identifies 14 business impacts of a cyberattack
The global leader for cyber risk services suggests that current market valuation of cyber incident impact is grossly underestimated.
NEW YORK, June 15, 2016 — Although cybersecurity is one of the most urgent issues of our time, the resulting impact of a cyber incident is still largely unproven. Recognizing the need of business leaders to have clarity around the enterprise-wide effect of such events, Deloitte Advisory, the global leader in cyber risk advisory services, released today: “Beneath the surface of a cyberattack: A deeper look at business impacts,” a risk-based report outlining the depth, and duration of cyber incidents in financial terms.
“Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet. An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the cyber risk postures that they need,” said Emily Mossburg, principal, Deloitte & Touche LLP, and Resilient Practice leader for Deloitte Advisory Cyber Risk Services. “This report is an effort to help leaders broaden their thinking on the potential consequences of a cyber incident. With a fuller picture of what may be at stake, they can better shape cyber risk programs to protect their organizations’ strategic interests, and ultimately improve the organization’s ability to thrive in the face of cyberattacks.”
“Beneath the surface of a cyberattack” was created by Deloitte Advisory’s Cyber Risk practice in tandem with the organization’s leading forensic and investigations, and business valuation & modeling services. Looking at two samples cyberattack scenarios, the report demonstrates a model to quantify potential damage, and identifies 14 business impacts of a cyber incident as they play out over a five-year incident response process. The scenarios illustrate some of the many ways a cyberattack can unfold and both clearly illustrate that the road to business recovery can be far more drawn out, more complex, and more costly than imagined.
14 business impacts of a cyber incident
Above the surface: well-known cyber incident costs
- Customer breach notifications
- Post-breach customer protection
- Regulatory compliance (fines)
- Public relations/crisis communications
- Attorney fees and litigation
- Cybersecurity improvements
- Technical investigations
Below the surface: hidden or less visible costs
- Insurance premium increases
- Increased cost to raise debt
- Operational disruption or destruction
- Lost value of customer relationships
- Value of lost contract revenue
- Devaluation of trade name
- Loss of intellectual property (IP)
“Rarely brought into executive and board conversations around cyber risk are the costs and consequences of IP theft, cyber espionage, data destruction, or business disruption, which are much harder to quantify and can have a significant impact on an organization,” commented Don Fancher, principal, Deloitte Advisory, and global leader for Deloitte Forensics & Investigations. “Our intent is not to scare executives into thinking that all cyber incidents will be more costly than they think. It’s to give them a better understanding of their specific risks so they can make more educated decisions that are aligned with their business strategies.”
Deloitte’s study reveals that:
- The direct costs commonly associated with data breaches are far less significant than the “hidden” costs. In Deloitte’s scenarios, these account for less than five percent of the total business impact.
- The time horizon over which impact is felt is far more protracted than is often anticipated. In Deloitte’s scenarios, costs incurred during the initial triage stage of incident response account for less than 10 percent of the rippling impacts extending over a five-year period.
- Over 90 percent of cyberattack impact is likely to accrue in categories that are intangible. Given that these are less studied and more difficult to quantify, organizations can be caught especially unprepared for these “costs” in areas such as operational disruption, impact to trade name and loss of intellectual property.
“The ability to quantify intangible damages is especially important in anticipating business impact. In many cases, an approach based on tallying actual recovery costs that hit the balance sheet would paint a significantly distorted picture of the cost to business performance,” added Hector Calzada, a managing director in Deloitte Advisory’s Business Valuation & Modeling services.
Deloitte Advisory’s Cyber Risk Services has worked with more than a thousand clients globally in the last 12 months across all industry sectors, providing a distinct perspective on what happens in the preparation for and the response to a broad array of cyber incidents. The findings of Deloitte Advisory’s “Beneath the surface of a cyberattack” report create opportunities for executives who not only understand the technical dimensions of cyber, but also have a deep understanding of how business value is created—and destroyed. Cyber risk is complicated and requires multidisciplinary approaches and the ability to integrate business strategy, operations, and technology.
About Deloitte Advisory Cyber Risk Services
Deloitte Advisory’s Cyber Risk Services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation, and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte Advisory’s more than 3,000 cyber risk services practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive, secure, vigilant, and resilient cyber risk programs. Deloitte Advisory cyber risk services works with our clients worldwide to better align cybersecurity investments with strategic business priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.
About Deloitte Advisory
Deloitte Advisory helps organizations turn critical and complex business issues into opportunities for growth, resilience, and long-term advantage. Our market-leading teams help our clients manage strategic, financial, operational, technological, and regulatory risk to maximize enterprise value, while our experience in mergers and acquisitions, fraud, litigation, and reorganizations helps clients emerge stronger and more resilient.
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.