In 2016, Deloitte published its white paper on the hidden cost of cyberattacks. The firm reported that of the fourteen “impact factors,” some are obvious while others are less so. Cyberattacks are not simply single moments in time. Their life cycles can take months or years to come to an end.
The incident response lifecycle starts with the reactive phase of incident triage and occurs in the days or weeks following an attack’s discovery. This means contacting those impacted and getting the business back online. The second step, impact management, involves finding ways to fix any problems that led to the breach, or to adjust internal processes. Finally, the business recovery phase includes rebuilding or redesigning assets to help rebuild trust and revenue streams.
With this in mind, companies should look at the way compliance, and particularly automating compliance, can lower the impact of a cyber attack. While some cyberattack costs are obvious, Deloitte noted that they have seven hidden costs. Compliance, and its automation, can help keep those costs at a minimum.
How Compliance Lowers the Hidden Cost of Cyberattacks
Insurance Premium Increases
Companies increasingly invest in cyberinsurance. The problem for many insurance companies lies in the inability to value the premiums, so aninsurance company may increase your premium in response to any cyberattack. In theory, this is the same type of impact a fender bender has on automobile insurance premiums, but since cyberattacks are a relatively new phenomenon, insurance companies cannot accurately estimate costs.
One of the biggest problems with risk estimation is the case-by-case nature of cyberattack impacts. The insurance industry may raise individual premiums in ways that seem disproportionate to the damage done. Compliance is one way to show that you have not been negligent. Automating compliance provides rapid, easy to follow documentation of how you protect your information assets. This helps the insurance company evaluate more clearly the risk your institution poses.
Increased Cost to Raise Debt
Another hidden cost of cyberattacks involves higher interest rates on borrowed capital. Unsurprisingly, cyberattacks can cause major stock drops. In terms of both governments and financial institutions, cyberattacks potentially impact credit ratings negatively. In 2015, Standard & Poor’s noted that
Our credit opinion takes a balanced view incorporating other related factors, including how susceptible a firm’s competitive position would be to a cyber-attack, the effectiveness of its response plan, and what is the firm’s financial flexibility, liquidity, and capitalization regarding its ability to replenish capital post-event. Looking at our case studies in financial services with major data breaches, all targeted companies emerged intact after a cyber-attack. However, we are increasingly wary about the persistence of cyber-attacks and what that might mean for consumer confidence to engage in commerce with the brand.
A strong compliance stance can help mitigate the negative impact of a cyberattack. If credit opinions take into account the effectiveness of a response plan and the attempt to lower risk through solid controls, then this can potentially save your credit rating.
Automating your compliance provides greater visibility across programs. You can ensure that your organization has no gaps in their compliance. Being able to prove preparedness may end up saving your company financially.
Impact of Operational Disruption or Destruction
Cyberattacks often shut down business activities, but operational disruption often flies under the cost radar. Quantifying these costs seems amorphous. However, in 2013, Michael Bell at Risky Thinking offered the following hypothetical:
A large utility bought an expensive laser printing and folding system to send out its monthly invoices. It was a unique and expensive system. The company could only afford one of them. With the anticipated workload, it was expected to operate 24×7 and be 99% occupied. When one of its parts failed, the system was down for a week. How long did it take before the bills are once again sent out on on time? At the time interest rates were high – around 10% – so the supplemental question was to estimate how much the company would lose if it had a million customers and the average monthly bill was $100.
With the rise of the Internet of Things, a ransomware or malware attack that shuts down the printing system is more likely. However, the result would be the same, and the costs would remain the same.
A 2015 survey on corporate risk and opportunity noted that 41% of GRC executives said control failure was their number one threat to financial success. In addition, 37% said that the biggest consequence was business disruption, and 75% of the same GRC executives said accessing a “single version of the truth” was of the utmost importance for financial stability.
Automating your GRC program provides this one truth. When everyone in an organization communicates effectively, all business areas use a common language and have continuity across processes to ensure compliance. By eliminating organizational silos with a SaaS GRC program, you provide one repository of information that can reduce or eliminate control failures. This leads to lowered business disruption costs.
Lost Value of Customer Relationships
Customers entrust you with their information. They expect that you will protect that information, even when they are not sure how that protection happens. In reality, these are unreasonable expectations, but your customers do not understand that. Research increasingly argues that breaches are inevitable regardless of your best attempts so you need to focus on lowering the hidden cost of cyberattacks.
When a breach happens, you need to rebuild customer confidence. A strong compliance stance can help in several ways. As Oracle noted in a 2008 whitepaper,
research suggests that companies must adopt a more proactive approach to rebuilding public trust in their organizations, based on areas identified by consumers as those needing the most improvement:
- Greater transparency about business practices.
- Less risk associated with products and services.
- Better pricing and accessibility of products and services.
- More emphasis on the development of socially and environmentally responsible products and services.
Although the information security landscape has changed, customer feelings remain static. Using an automated system, you can more easily articulate your compliance stance in a way that provides customers with a sense of transparency. This demonstrates to them that despite the breach, you were lowering the risk as much as possible. That can help build back customer confidence and lower one hidden cost of cyberattacks.
Value of Lost Contract Revenue
When your customers are companies and not individuals, the loss of relationships come in larger chunks. Lost contracts not only come with immediate revenue loss but with future opportunity loss as well. Loss is calculated in terms of the current value as well as the investment that could have been made with that money.
With a strong compliance stance, you can reassure to your customers. Often, a contract cannot be canceled immediately, so—unlike with other types of customers—you have more time to prove your IT governance stance. With an automated GRC system, you can offer better assurances to your contract customers because you can get the information they request more quickly.
Devaluation of Trade Name
Valuing a trade name is difficult. Most valuations use the “relief from royalty method.” This method estimated the present value of futures savings based on not having to pay royalties or license fees for the use of the name. This means that you look at how much someone else would need to pay you to use your name. The decrease in trade name value after a breach is an often-missed hidden cost of cyberattacks.
A quick response to a breach means knowing how to locate the exploited weakness, and n order to do so quickly, you need to have a strong compliance stance. A strong compliance program requires ongoing monitoring and constant vigilance.
Loss of Intellectual Property
When people think about cyberattacks, they assume that the hackers are attempting to obtain customer information. However, in some cases, a breach that compromises a company’s intellectual property may be more valuable.
When you have a strong compliance stance, you can find an intrusion more effectively. CSOOnline suggests, “Over time, the human resources group, the audit group, the individual’s colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps between infosecurity and corporate security groups can be so harmful.” With an automated GRC tool, each area that notices an incident can record it. If a breach still occurs, it may be quicker to track the cause.
Breaches are going to happen. While no one wants to admit it, everything that makes organizations successful also puts them at risk. If you are looking to lower the hidden cost of cyberattacks, trying an automated GRC program may be the solution.
To learn more about how ZenGRC can help you reduce these costs, read our eBook, How to Get Compliant and Stay Agile.