While most businesses accept that their organisation will suffer from a security breach at some point, calculating the cost of a breach can sometimes be finger in the air stuff. There are so many variables and how do you define ‘cost’? In our own Risk:Value report this year, we asked business decision makers (outside of IT) their views on this and the results revealed that to recover from a data breach would cost upwards of £1.2m on average for a UK organisation (in fact the highest figures of all the countries we surveyed).
But this estimation doesn’t even take into account the ‘hidden costs’ like reputational damage and brand erosion. We’ve seen many brands reeling from the effects of serious data breaches recently and struggling to repair not just the financial realities of it, but the hit to their reputation and customer confidence.
What was interesting from our own research was that, while the majority of people we spoke to expect to suffer a security breach at some point, most expect to pay for it in other ways – including even losing their jobs. Over a third said they would expect to resign or expect another senior colleague to resign as a result of a breach.
Of course, the other factor here is working with insurers to cover the cost of a security incident. While cyber liability insurance has become increasingly popular and can include cover for data/privacy breaches, it can also be a minefield of ambiguity and complexity. The problem is that cybercrime is a relatively new form of commercial risk, and insurers need clarity on the questions they should be asking about an insured party’s security before underwriting policies.
Plus, cyber insurance is only likely to provide financial compensation – and that’s probably limited to specific areas, such as legal or remediation costs. It is more difficult to insure against intangible consequences, such as future revenue impact or brand equity, as these are much harder for an insurer to quantify. It is almost impossible to put a price on the loss of customer trust or reputation. There is a strong relationship between security and trust – and it is very hard to put a financial value on that once it has been broken.
Working more closely with insurers in this area may well help businesses to calculate the costs and allow insurers to correctly estimate losses and more accurately underwrite policies.
Cyber-crime is increasing but according to the European Union Agency for Network and Information Security (ENISA) figuring out just how much it costs governments and businesses is anyone's guess. In a report published by the pan-European body, The Cost of Incidents affecting CIIs (Critical Information Infrastructures), said that the “lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context”. It said the most notable conclusion reached from the study was that the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be “quite a challenging task.”