CISOs know that data breaches cost money. One question is how much; another is whether the rest of the organization knows.
To answer the first question Deloitte recently issued a white paper with a calculation to show how many costs aren’t being considered by management. In one hypothetical case, as reported by David Wheldon, the damage could be up to US$1.6 billion over five years. That’s right. For a theoretical breach of 2.8 million records from a U.S. private health insurance company the damage could run into 10 figures.
Not all of the numbers would be applicable to Canada in this particular example. For example, because most Canadians are covered under the government funded heath insurance, private insurers here are smaller — and, of course, we have a smaller population. While the dollar values would be smaller, the factors would be the same. So the Deloitte calculation includes an estimated $230 million loss to brand image to the insurer. There’s a lost value of customer relationships at $430 million over three years. These would apply to a retailer or manufacturer.
However, there are a lot of other so-called beneath the surface costs the C-suite may not be thinking of today: operational costs, insurance premium increases, and, if necessary, the cost of raising debt to pay for these and other costs.
Then there’s the expected costs: Notifying potentially-affected customers and partners, paying for customer protection services, hiring forensic investigators, possibly hiring a crisis reaction team for public relations, facing customer/partner lawsuits, paying regulatory fines, loss of intellectual property (perhaps incalculable) and — of course — cyber security improvements including awareness training.
This isn’t meant to scare management (well, maybe it should, so they pay more attention to cyber security). After all, some of the biggest names who have suffered some of the biggest breaches (Target, Home Depot, Sony) are still in business. But boards and senior management need to take these ramifications into account more when doing risk assessments.
As one expert quoted in the story says, often the most under-estimated significant impact across organizations is business disruption.
Among the report’s conclusions is that “effort should be taken to define the organization’s top risk areas and assets and model realistic attack scenarios. This enables an organization to establish a reasonable level of investment in various areas of a cyber risk program.”
(Editor’s note: This story has been corrected from the original version, which said the theoretical victim company was a hospital. Also, now there’s a link to the full report)