The Most Impactful Data Breach Fallout
The potential impact on an organization due to the reputational damage of a data breach is far greater than direct financial implications. Reputation is closely linked to financial value making the finance/reputation distinction blurred – modern accounting shows both tangible and intangible assets on the corporate balance sheet. However, according to Aon’s 2019 Global Risk Management Survey, the value of intangible assets such as reputation and IP rights are five-times greater than tangibles for most major businesses.
The financial damage of a data breach to an organization is predictable, measurable and time-limited. For example, we know the maximum fines that may be imposed for a GDPR violation, and compensation payments can be estimated. However, reputation is intangible, with customers remembering poorly managed events for a very long time.
The internet has a long memory and customer feedback and social media all add up to an environment where even modest IT security lapses can have widespread consequences, and where a large-scale incident can cause far reaching or even terminal damage to an organization. Today’s news is no longer forgotten in a few weeks – any ‘bad news’ story will return again and again when similar events arise.
As an example, the name Edward Snowden still crops up, even seven years down the line. Data breaches like this are remembered and revisited, but they can also result in collateral damage. Altegrity Risk International (ARI) filed for Chapter 11 bankruptcy after the US government terminated two major contracts with them following a ‘state-sponsored’ security intrusion. ARI was responsible for the background checks on Snowden, causing doubt and a loss of trust in the minds of its customers.
The good news is that reputational damage can be managed. Handled well, the organization gains respect and damage can be limited. However, a poor data breach response can have catastrophic implications.
Uber’s data breach of 2016 was covered up for over a year. The company paid the hackers $100m to delete stolen data – of course they did – then over a year later, when the firm came clean, they had to face up to legal and regulatory actions across the world. According to Varonis, Uber customers’ perception of the company dipped 140% when the incident was disclosed, with negativity being sustained well beyond this.
It is variously reported that 70-80% of consumers will stop engaging with a brand after a poorly managed data breach. PwC has stated that 87% of consumers say they will take their business elsewhere if they don’t trust that a company is handling their data responsibly.
On the other hand, coming clean about a data breach can boost reputation. Norsk Hydro demonstrated a prompt and open response to a devastating ransomware attack. With daily media posts, business partners were kept up-to-date, while the company made clear that it would not pay the ransom. Investors were frequently briefed about the total cost of the attack, while at the same time, the firm’s staff worked hard to meet customer requirements despite difficult working conditions. The end result has actually been a boost to the company’s reputation that has helped to shore up the firm’s stock price, and which has prevented speculators in the financial marketplace from taking aim at the company.
Perhaps the more important point, however, is how IT security policy is directed, based on the organization’s leaning towards either minimizing financial loss or protecting reputation in the event of a data breach. If the risk of direct financial loss is the thinking that drives IT security policy, then the organization is prone to ‘checkbox security.’ In this case, doing the bare minimum is good enough, and reliance is placed on the firm’s ability to react to security incidents as they arise.
However, if the organization considers that the protection of its reputation is more important, then IT security is likely to be directed to take a more proactive stance, placing data security front and center.
While reputational damage has the potential to deliver a devastating blow to an organization – one that can far outweigh pure financial damage and that persists for years – it is at least in the hands of management teams to minimize the impact, and possibly to enhance the organization’s reputation as a result of the experience.
Reputational Damage vs Financial Cost
Calculating the overall financial cost of a data breach is not an easy task. Even though the insurance industry assesses risk for a living, it is not the only one struggling with the development of reliable risk models. The specific challenges insurers face when developing such models include not only the lack of historical data but also the complexity of digital ecosystems, the ever-evolving cyber-threat environment and the shifting regulatory and policy landscape.
The Cost of a Data Breach Report 2019 published by IBM Security defines four cost components, namely detection, response, containment and remediation. The costs of these components may, however, vary according to the type of data breach. For example, the amount of leaked data and its nature, along with what the malicious actor has done with the data. Another important factor is the type of organization, its industry and geography; for instance, some industries are more regulated than others.
Yet that’s not all. As digital environments are increasingly interconnected, the financial costs of a data breach may not be limited to the organization that suffers the cyber-incident but may extend to the organization’s stakeholders, which in turn may result in claims against the original target of the cyber-attack.
In October 2019, Lloyd’s insurance market released the Shen Attack: Cyber-risk in Asia Pacific ports report, a publication from the Cyber Risk Management (CyRiM) project. CyRiM is a public-private initiative that assesses cyber-risks.
The report attempts to quantify the economic losses of a hypothetical (yet plausible) major data breach. The target of the cyber-attack is the cargo database records of 15 major ports across Asia Pacific.
The Shen Attack is interesting firstly because the theoretical breach doesn’t exclusively regard personal data, something that is often the ‘talk of the town’ due to the hefty fines brought along by the GDPR. Under the regulation, the maximum fine an organization could face is €20m or 4% of its annual global turnover, whichever is greater. Yet the GDPR fines hardly compare with the much greater financial losses outlined in the Shen Attack.
Secondly, the Shen Attack reveals the financial losses that would arise from the digital interconnectedness of a business ecosystem, resulting in this instance in the data breach not only affecting the ports in the Asia Pacific, but also many other stakeholders.
The report goes so far as to show the economic damage of a cyber-attack to the databases of 15 Asia Pacific ports to the world economy, which could range from $40.8bn in a best-case scenario to $109.8bn in a worst-case scenario.
Although the data breach would only directly affect the ports in the Asia Pacific region, each country that has bilateral trade with the attacked ports would also incur economic losses. Asia would be set to lose up to $27bn in indirect economic losses, followed by $623m for Europe and $266m for North America.
The direct financial losses would mainly stem from business interruption and port closures, whereas indirect losses would result from a domino effect on other stakeholders. The heaviest financial damages would be felt by sectors heavily reliant on maritime shipping; transportation, aviation and aerospace sectors would be the most affected.
The report also outlines the types of actors that would make a claim including port operators, third party organizations indirectly impacted, logistics and cargo handling companies, perishable cargo content owners, ship owners, port management systems and ship management companies. The legal costs in this type of scenario would likely amount to obscene numbers; litigation could go on for many years, due to the high number of claimants and the complexity of the claims brought forward.
The Shen Attack scenario helps to raise awareness of the widespread potential economic damages that could result from a major data breach, especially in the context of its ripple effect on a large number of other stakeholders impacted by the operations of the organization.
In summary, the reputational damage from a data breach can indeed be devastating for an organization including, for example, loss of confidence from clients to private equity or financial markets. However, when we look at scenarios such as the Shen Attack, where a major data breach would cause substantial economic damage not only to the organization itself but also to a wide range of other organizations, business sectors and national economies globally, then arguing that reputational damage is overall greater than financial damage would be difficult.