Deloitte Identifies 14 Business Impacts of a Cyberattack
While cybersecurity is one of the most prevalent issues of our time, the resulting impact of a cyber incident is still largely unproven. Recognizing the need of business leaders to have clarity around the enterprise-wide effect of such events, Deloitte, the global leader in cyber risk advisory services, released: “Beneath the surface of a cyberattack: A deeper look at business impacts,” a risk-based report outlining the depth, and duration of cyber incidents in financial terms.
The “Beneath the surface of a cyberattack” report was created by Deloitte’s Cyber Risk practice in tandem with the organization’s leading forensic and investigations, and business valuation services. Looking at two samples cyberattack scenarios, the report demonstrates a model to quantify potential damage, and identifies 14 business impacts of a cyber incident as they play out over a five-year incident response process. The scenarios illustrate some of the many ways a cyberattack can unfold and both clearly illustrate that the road to business recovery can be far more drawn out, more complex, and more costly than imagined.
14 business impacts of a cyber incident:
Above the surface: well-known cyber incident costs
- Customer breach notifications
- Post-breach customer protection
- Regulatory compliance (fines)
- Public relations/crisis communications
- Attorney fees and litigation
- Cybersecurity improvements
- Technical investigations
Below the surface: hidden or less visible costs
- Insurance premium increases
- Increased cost to raise debt
- Operational disruption or destruction
- Lost value of customer relationships
- Value of lost contract revenue
- Devaluation of trade name
- Loss of intellectual property (IP)
Deloitte’s study also reveals that:
- The direct costs commonly associated with data breaches are far less significant than the “hidden” costs. In Deloitte’s scenarios, these account for less than five percent of the total business impact.
- The time horizon over which impact is felt is far more protracted than is often anticipated. In Deloitte’s scenarios, costs incurred during the initial triage stage of incident response account for less than 10 percent of the rippling impacts extending over a five-year period.
- Over 90 percent of cyberattack impact is likely to accrue in categories that are intangible. Given that these are less studied and more difficult to quantify, organizations can be caught especially unprepared for these “costs” in areas such as operational disruption, impact to trade name and loss of intellectual property.
“This report is an effort to help leaders broaden their thinking on the potential consequences of a cyber incident. This is particularly important in the Middle East, which we view as being on “High-Alert” given the additional dimensions of threat that include; geo-political instability, our perceived economic wealth making us a prime target for cyber criminals, and our above average malware infection rates. With a fuller picture of what may be at stake, they can better shape cyber risk programs to protect their organizations’ strategic interests, and ultimately improve the organization’s ability to thrive in the face of cyber attacks.” said Fadi Mutlak, partner, Enterprise Risk Services, and cyber security leader at Deloitte in the Middle East.
See related article