The Hidden Costs of a Data Breach

Published on August 12, 2016

Much of the business discussion around cyber-security relates to protection of key assets such as customer information and intellectual property, often after the news that another company has suffered a large data breach. While strengthening defenses against cyber-attackers is important, companies also must be prepared to handle the reputational and financial hits that a cyber incident can produce for years down the road.

Cyber-security has the attention of CFOs and other decision-makers. And for good reason: The average cost of a data breach has risen 29% since 2013, to about $4 million per incident, according to an annual report from IBM and Ponemon Institute. And a 2015 survey of US finance decision-makers shows that organizations are increasing spending on cyber-security.

A new report by Deloitte addresses issues that go beyond data protection, pointing out the hidden costs that go along with responding once a cyber-attack has occurred.

Cyber readiness, the Deloitte report said, is not just about what happens after an attack. In other words, it is far more involved than following through on a six-week or six-month incident response plan with technology upgrades and planned communication with customers and other stakeholders.

The report lists 14 impact factors of a cyber-attack, including seven classified as "beneath the surface" and having less visible costs:

Insurance premium increases: A company might need to buy or renew its cyber-security insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies. Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defenses. Insurers could cite any number of issues with a company in the aftermath of a data breach; citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors. Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.

Increased cost to raise debt: Perception becomes reality when an organization has suffered a cyber-attack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said. The corporate credit rating of US retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyber-attack. While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+". Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.

Impact of operational disruption or destruction: Any disruption of normal business operations will have financial repercussions. Resources from one part of a company could be diverted to other parts in the wake of a data breach. If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.

Lost value of customer relationships: If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later.

Value of lost contract revenue: Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyber-attack. A company may have built cost increases for services into its financial models, so those models must be recalculated in the event of a data breach. The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."

Devaluation of trade name: If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach. And a company such as a retailer obviously must rebuild brand loyalty after a data breach.

Loss of intellectual property: This can be the most crippling effect for a company that suffers a data breach. The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost.

(Source: CGMA Magazine Update – August 5, 2016)