The realization that cyber risks can have a significant impact on the financial success of an investment is gaining ground in the investor community. But how big are the risks and how significant is the potential damage? What countermeasures are needed and when are required mitigation investments still proportionate?
Various studies have looked into the actual costs of cyber incidents in recent years. So far, those efforts have not yielded anything more than rough estimates. The extent and severity of incidents can vary widely, as do the nature and underlying goals of the attacks. In a recent white paper, researchers from NCC Group, known in the Netherlands as shareholders of Fox-IT, have incorporated previous international studies into new estimates for the United Kingdom.
When does an incident turn into a catastrophe?
Many companies deal with multiple ‘cyber incidents’ in any given week. Most of these have little or no influence on business operations. It is the large-scale incidents that can lead to real costs. A company that is left out-of-business for several days undoubtedly experiences considerable damage. If that company is a crucial link in its business chain, the indirect consequential damage can be much higher. For some companies, theft of R&D data and intellectual property would be costly. In knowledge-intensive industries such as the pharmaceutical industry, such an incident could well mean the end of a business. A large-scale data breach involving personal data can lead to reputational damage and loss of customers. If the affected company has been negligent, it may also be faced with fines. It is clear that various factors determine whether a cyber incident is ‘only’ expensive and frustrating, or whether it is truly disruptive: in which markets does the company operate? What is its business model? But also: what is the nature of the attack? Where did the attack hit within the organization? How resilient is the company?
Damages are difficult to predict
Real life examples show how generalizations are not easily made: incidents can lead to major damage, but not every affected company will be hit equally hard. Last year’s NotPetya attack, which hit Maersk’s APM container terminals in the port of Rotterdam, resulted in $ 250 to $ 300 million in direct damages, according to Maersk. As a result of the same attack pharmaceutical giant Merck reported $ 260 million of lost revenues and $ 285 million in additional costs. For 2018 Merck expects a further loss of revenues of $ 200 million. Both companies play an important role in their respective business chains.
The Ponemon Institute that is cited by NCC estimates costs of incidents involving personal data on the basis of the number of data records involved. Ponemon’s estimates range from up to $ 119 per data record in the media sector, to $ 380 per data record in healthcare. These amounts consist of both direct and indirect costs. Fines under the new European GDPR guidelines have not yet been included in these calculations. According to Ponemon, the worldwide average size of data breaches is around 24,000 records per breach. With bigger data breaches, a higher proportion of costs is due to loss of customers and reputational damage. Ponemon estimates that on average data breaches result in an additional customer churn of 3.24%. In the financial sector, healthcare and the services sector, this can amount to 5 to 6%. But with reputational damage and customer churn things can go two ways: Equifax recently estimated that the total costs related to its 2017 leak, involving data from 147 million customers, could amount to more than $ 600 million. eBay reported having hardly experienced any consequences of a data breach of the same magnitude three years earlier.
Where the differences in damages originate
Direct costs, such as incident handling, recovery and legal assistance, are primarily dependent on the size and complexity of the incident and make up the bulk of total costs in smaller incidents. Particularly in large-scale DDoS and ransomware attacks, an important part of the costs is caused by direct loss of revenue and damage to company assets due to down-time. The longer the company is out-of-business, the greater the damage. In Europe, fines for incidents involving personal data are determined by the worldwide turnover of the affected company, with a cap of € 20 million.
However, the largest variations are in indirect costs. Especially in business chains with just-in-time logistics, a cyber incident at a supplier or logistics service provider can cause serious damage further up or down the chain. But do customers swap suppliers after the very first incident? Reputational damage can, but does not necessarily, lead to structural loss of clients. See Facebook. Still, society’s awareness of cyber security and privacy is growing. Claims and loss of revenue are therefore becoming increasingly real and tangible risks.
Probability x impact?
What lessons can be drawn from this? As a starter, direct and indirect damages caused by cyber incidents are not necessarily disruptive. For many companies it would suffice to base their security spend on estimates of probability and impact. However, large-scale incidents are becoming increasingly prevalent and their potential impact is becoming increasingly larger. Therefore, every company would benefit from any combination of prevention, detection and response measures to mitigate those risks.
Those companies that rely heavily on intellectual property or personal data, companies that play a key role in their value chain, companies that are particularly susceptive to theft and fraud or companies with a high public profile should be prepared for truly disruptive cyber incidents. In general, such companies also run a greater risk of being targeted: there is more to be gained. Investors in these companies simply cannot afford not to have these risks at the top of their agenda. Cyber security should be a strategic key priority. Investors would be well-advised to make cyber security a standard component of their due diligence assessments, and especially of their post-acquisition planning.
This article was published in Dutch in mena.nl and financieel-management.nl.