As cyber-attacks increase in size, volume and sophistication, the recovery costs also increase. However, much of the cost (as much as 90 percent) can come years after the actual event, according to a recent Deloitte study. To put that into perspective, IBM’s Ponemon Cost of Data Breach Study concluded that the average cost of a data breach is around $4 million. Following a cyber-attack or data breach, an organization faces several immediate direct and indirect costs that can add up in a short span of time: customer breach notification, post-breach protection, regulatory compliance and fines, public relations consultants, attorney fees, etc. While these fees can often be largely covered by cyber insurance, many “hidden” or “below the surface” costs occur much later in the breach recovery process or are non-recoverable altogether. Some “below the surface” costs include: insurance premium increases, business interruption, loss of intellectual property (IP), loss in business reputation and customer relationships, devaluation of trade name and many more.
While Deloitte was aware of the “beneath the surface” costs, they did not expect as much as 90 percent of the cost to be “hidden.” “We thought this was being under-estimated. What we didn’t expect was how much of the true impact was beneath the surface and hasn’t been part of everyday discussion of cyber incidents today,” explained Emily Mossberg, a principal with Deloitte & Touche LLP. “Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet. An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the risk postures that they need.”
Of all these costs, however, Deloitte found the most significant to be business interruption, which can include “lost revenues, borrowing costs, customer service, brand perception, and future opportunities.” In order to prepare for the worst, organizations must have a crisis management plan in place. Does the organization have proactive security controls? Do they protect their data appropriately? If a breach were to occur, are they ready to respond in a timely manner? It is important to test these actions and prepare for the worst. As cyber experts tend to say, “It’s not a matter of if a breach occurs, it’s when.”