Common perceptions about the impact of a cyberattack are typically shaped by what companies are required to report publicly—primarily theft of personally identifiable information (PII), payment data, and personal health information (PHI). Discussions often focus on costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. But especially when PII theft isn’t an attacker’s only objective, the impacts can be even more far-reaching.
"What does a cyberattack really cost? Regulatory fines, public relations costs, breach notification and protection costs, and other consequences of large-scale data breaches are well-understood. But the effects of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs—many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information or other strategic assets."
Look behind the scenes in two sample scenarios and see how business performance can be challenged over a multi-year period when a cyberattack occurs. In one case, a cyberattack against a health insurance company appears to be a typical case of patient data loss but has deeper implications. The other example looks at the impact of intellectual property theft against a technology manufacturer. Combining cyber risk knowledge with business valuation and financial quantification methods, this paper draws essential lessons about the direct costs and the intangible impacts of a cyber crisis.
To gauge the potential impact of a cyberattack, there are 14 impact factors that business leaders should consider. “Above the surface” are direct costs commonly associated with data breaches. “Beneath the surface” are potential impacts that are less understood and rarely revealed to the public eye, many of which are intangible costs that are difficult to quantify, including damage to trade name, loss of intellectual property, or costs associated with operational disruption.
Beyond the initial incident triage, there are impact management and business recovery stages. These stages involve a wide range of business functions in efforts to rebuild operations, improve cybersecurity, and manage customer and third-party relationships, legal matters, investment decisions, and changes in strategic course.
Prepared with a more realistic understanding of the potential impact of a cyberattack, executives can invest in risk-focused programs to be more secure, vigilant, and resilient, and gain greater confidence in their organization’s ability to thrive, even in the face of a cyber crisis.