A cyber-attack can burden companies with substantial costs. For instance, a cyber-incident may result in a business interruption loss as systems are unavailable both internally and externally. Exceptional expenses are incurred and revenues reduced through the loss of business.
The amounts involved depend on the time it takes to restore the affected systems or conduct criminal probes.
There are other resultant costs including expenses for measures taken to notify customers, recover systems and data or ameliorate reputational damage. However, third-party losses can be exceedingly costly as well. Companies may face class action lawsuits and have to pay damages to customers in data breach cases. The costs of defending the results of a cyber-attack can include lawyers’ fees for defending cases in court, keeping cases out of the courts and costs for legal analyses of the situation and recommendations on how to proceed.
High-profile data breaches and other cyber security incidents have grown more commonplace with increasingly onerous outcomes. As previously mentioned, one of the largest retailers in the United States, Target Corporation, suffered a massive cyber breach in late 2013. According to Target’s 10-Q filing for the quarter ending May 3, 2014, an “intruder accessed and stole payment card data from approximately 40 million credit and debit card accounts of guests who shopped at [its] US stores between November 27 and December 17, 2013 through malware installed on [its] point-of-sale system in [Target's] US stores. In addition, the intruder stole certain guest information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals.” The resulting publicity from the event cost the company a significant amount in lost sales, loss of reputation, class action lawsuits and the ouster of its chief executive officer.
Since the data breach, Target has incurred USD88 million of cumulative expenses, partially offset by expected insurance recoveries of USD52 million, for net cumulative expenses of USD35 million, according to the 10-Q filing for the quarter ending May 3, 2014. To limit its exposure to losses relating to data breach and other claims, the retailer states that it maintains USD100 million of network-security insurance coverage, above a USD10 million deductible. This coverage and certain other customary business-insurance coverage cut Target’s exposure related to the data breach, the company explained in its filing.
Another high profile incident involved the UK charity, British Pregnancy Advisory Services. It was fined GBP200,000 in February 2014 following a data breach by a hacker who targeted its website because he disagreed with abortion. He threatened to publish the stolen data.
Impact on Supply Chains
Today, organizations, through their interconnectedness and participation in global supply chains, are subject to an increasingly complex network of networks. A cyber-attack may put an entity’s entire supply chain at risk. Cyber risks pose a set of aggregations/accumulations of risk that spread beyond the corporation to affiliates, outsourcers, counterparties and supply chains.
Cloud-based computing is another cyber risk causing concern. Aggregation of data from many companies in a cloud service could spell catastrophic loss for many companies if an attack or breach occurred. Whether it is a private cloud using dedicated servers or a public cloud, where data is stored on shared servers, cyber threats exist.