Data Breaches Cost More than Money

    Aug 24, 2016

    The average cost of a data breach today is about $4 million per incident, an increase of 29% since 2013, according to an annual report from IBM and Ponemon Institute.

    This is not news for most organizations. A different 2015 survey of U.S. finance decision-makers showed that organizations are spending more on cybersecurity.

    According to a recent Journal of Accountancy article, a new report by Deloitte & Touche reveals that this may not be enough – there are many hidden costs that result from a cyberattack. “The conversation has been a technical one to date. It's focused on the vulnerabilities, and the threats and the adversaries out there," said Emily Mossburg, principal in Deloitte & Touche LLP's cyber-risk practice and a report author. "Much of what is talked about is the number of records that were compromised: Social Security numbers and financial account information. That's important, but that was sort of where the conversation was ending."

    Cyber readiness, according to the Deloitte report, is much more than just what happens right after an attack. The report lists 14 impact factors of a cyberattack, including seven that are "beneath the surface" and have less visible costs. Less visible, though, doesn’t mean less costly. These costs include:

    1. Higher insurance premiums: Deloitte says companies may face premium increases of 200% for the same coverage, or they may be denied coverage until they prove to the insurer that they have shored up their cyber defenses. Insurers may tell a company what to fix before coverage will be continued.
    2. Increased cost to raise debt: After a data breach, a company's credit rating can be lowered, which will affect its ability to raise debt or renegotiate its existing debt, Deloitte said. Deloitte's analysis said credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident. For example, Target’s rating was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's after a cyberattack.
    3. Business disruption: When normal business operations are disrupted, a company suffers financially. If a company's e-commerce site must be shut down temporarily, for example, the company will lose current and possibly future business when customers move to a competitor.
    4. Lost customer relationships: Customers may not return to a business that suffers a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% after a cyber incident and doesn't return to normal until three years later.
    5. Lost contract revenue: Negotiating contracts with other entities is harder after a data breach, and contracts may be terminated as a result of a cyberattack. According to the IBM and Ponemon Institute report, the "biggest financial consequence to organizations that experienced a data breach is lost business." 
    6. Devaluation of trade name: If a company's business is offering services to other companies, those companies will be less likely to seek additional services from a company that has suffered a data breach. Most companies will need to rebuild brand loyalty after a breach.
    7. Loss of intellectual property: This can be the most crippling effect of a data breach. The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost. "If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organization faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.
    © 2017, ARMA International