Cyber risk leads to financial risk, but cybersecurity is still often thought of as a technical rather than a business problem.
As cybersecurity risks proliferate and the cost of dealing with them increases, cyber risk assessment, and budgeting for these threats, will become increasingly important business functions.
What does a data breach cost?
The total cost of a large data breach can be surprisingly hard to calculate. The effects of cyberattacks are wide ranging, impacting many areas of a company’s operations, and can continue to accumulate for a long period of time.
A data breach can have strong negative effects on brand value, sales, and customer base. It can also lead to lawsuits or government sanctions—an increasingly large part of the risk. The European Union’s General Data Protection Regulation (GDPR) can impose penalties of up to €20 million, or four percent of global annual revenue, whichever is larger. And recovering from the breach, in terms of employee time, outside vendors, and new infrastructure, as well as the costs of mandatory notification to customers, can also be a significant expense.
In most US states, companies must notify state agencies, as well as affected customers, of a cyber attack. The required information varies from state to state and has little detail that could lead to an assessment of cost. Firms are reluctant to reveal many details about the breaches they have suffered—and costs associated with these breaches can accumulate for a long time, even years in the case of protracted litigation.
What is the risk of a data breach?
Risk is often calculated based on historic data and past events—but the future of cyber security will not resemble its past. Attacks are evolving and changing constantly, previously safe businesses become targets, and, with the continuing digitization of all functions, every upgraded process is a potential new chink in the security armor. As security risk increases, so too will the cost of cyber crime.
Companies also must be aware of the threats posed by using third-party infrastructure. These can propagate risks that are hard to supervise. These risks can come from unexpected directions. For example, the 2013 Target data breach originated via the company’s HVAC vendor.
As the number of connected devices increases, so will the possible attack surface in ways companies are poorly prepared to assess.
How much should you invest in risk management?
It’s definitely true that information security is becoming a larger part of the overall IT budget. Still, it can be hard for companies to accept how much they need to spend annually to minimize vulnerabilities. It might become a significant cost line in the company’s budget.
Organisations can use their investment in securing user data and preventing attacks as a market differentiator. As consciousness of the risks becomes more common among customers, having a reputation as enforcing good customer security could be increasingly valuable.
One big backstop for cyber risk is cyber insurance.
Cybersecurity insurance is a new and rapidly growing market, with many new companies entering the field. It grows out of existing errors and omission (E&O) insurance, and it mitigates the costs of recovery from a security breach, thus taking on some of the risk.
Cyber insurers will face problems of aggregated risk. If the same cyber criminal targets a large number of insured businesses simultaneously, the insurer will be on the hook for all of them. Instead of spreading risk, it may find that it has concentrated it.
As the name E&O implies, that insurance deals with random risks. But cybersecurity insurance needs to deal with the behavior of active hackers. Terrorism insurance is the only other insurance type with a similar risk structure, and that insurance is supported by government programs. No current predictive model can yet deal with the complexities of cyber threat, response, and deliberately modified threat that characterize cyberattacks.
Expect to see significant evolution in this market, with some likely high-profile insurer failures revealing the flaws in their risk models.
The importance of reporting
There is a real need for a centralized and standardized method of reporting data breaches, their details, and their costs. This could come via some agreement between insurers to pool data, the rise of some third-party standards organization, via government mandate, or some combination of all three.
Without some improvement in available data, estimating and pricing cybersecurity risks will become increasingly difficult.