As the unfolding saga of the British Airways data breach shows only too well, cyber risk has become a core issue for companies of all sizes and across all sectors. As we move rapidly from an era in which only ‘early adopters’ embraced digitalisation to one in which every customer expects digital interaction, and every business must provide it, the ‘attack surface’ presented to attackers grows exponentially and the potential damage to business from a technology failure becomes critical. Particularly taking the Internet of Things into account, it’s no exaggeration to say that cyber risk is now one of the biggest and most complex, day-to-day operational risks companies face.
The complexity is not just in the technological details, it’s in the range and intricacy of the consequences. Cyber attacks are generating ever bigger reported losses. Shipping giant AP Moeller Maersk announced potential losses of up to $300 million following the notPetya attacks of 2017.
They are causing lasting damage and cost in the form of litigation – the BA case has created the first class action suit in the UK related to cyber security and data compliance.
They come with the costs of incident response, of damage to systems and remediation to hardware, software and databases.
Most serious in the long term, cyber attacks damage the relationship between businesses and their customers and other significant stakeholders. In B2C and B2B sectors, the entire business cycle and relationship is moving into the digital realm. Customers and business partners trust their counterparties to keep personal and other confidential data safe and increasingly to avoid those unable to provide reasonable assurances about cyber security process and practice.
This reputational damage hits right across the stakeholder chain. Research has shown that up to a third of customers in retail, finance and healthcare will stop doing business with organisations that have been breached. In addition, companies that have experienced a breach often see an increased cost when it comes to acquiring new customers.
On the other end of the scale, lenders and institutional investors are paying increasing attention to companies’ commitment to cyber security and compliance with new regulations such as the EU’s General Data Protection Regulation (GDPR). Among other things, the latter removes companies’ ability to hide breaches by mandating disclosure.
As long ago as 2015, British fund manager Legal & General Investment Management called for compulsory cyber audits to be introduced to ensure companies are prepared to protect themselves from attack.
“Cyber security is a significant risk to our investee companies. It is incumbent of us to discuss how company boards are managing cyber security and their digital infrastructure throughout the corporate year,” said David Patt, senior analyst for corporate governance and public policy at LGIM.
“We are concerned that many responses we receive to this major corporate risk are insufficient. Boards need to be more aware of their operational environment and emerging threats to their business. Simply put, it can affect a company’s value.”
The final element of complexity is how to deal with the near inevitability of a breach. Aside from the technical aspects of incident response it has become very clear that the immediate, public actions of firms under attack is a strong determinant of the extent of that longer-term reputation and brand damage.
From Talk Talk to DLA Piper to BA, a series of companies have found themselves the subject of damaging “How not to handle a breach” stories, while their smarter competitors have, with professional crisis response and cyber security PR help, minimized the damage to management, share price and customer relationships.
Cyber risk is here to stay. It can destroy smaller firms and cripple even the largest. It is an inevitable consequence of the digital transformation businesses need to execute to survive. And firms need specialist help to deal not just with issues of technology but also with issues of relationship and public perception.
Simon Brady is Managing Editor at AKJ Associates.
With offices in London and Singapore, AKJ delivers solutions to clients on information security, data protection, regulatory compliance, fraud, electronic discovery, forensics and payments risk – http://akjassociates.com