By: Justin Silbert
In reporting on the consequences of an incident, CISOs and other security professionals should be focused on the costs of the incident. Fixed costs, both direct and indirect, associated with recovery, forensic investigation, regulatory fines, customer notifications, and legal services should be addressed first. Once there is a grasp of the fixed costs, the unknown costs can be evaluated.
As part of the unknown costs, reputational risk stands out above all others. It is commonly perceived as one of the most important costs that the Board of Directors (BOD) considers. However, reputational risk is commonly misunderstood by security professionals. Reputational risk cannot be evaluated solely within the context of a security incident. It is a product of the organization as a whole, dependent on financial stability, leadership, business strategy, business size, and especially timing.
Ultimately, financial stability is the most important factor to ensuring an organization can survive the storm. The organizations that have been host to the most public breaches in recent years are still in business and most are thriving. Equifax, Target, Office of Personnel Management (OPM), Anthem, Home Depot, JP Morgan Chase are just a few. They may have taken a short-term hit, but long term outlook has never looked better. Yahoo may be the only outlier and we will address why a little later.
However, smaller victims of data breaches may remain unknown. The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. According to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000; and, for middle market companies, it’s over $1 million.
Assuming a company has the balance sheet to sustain operations past the incident, there are a few other factors that will greatly affect the value of the organization.
Convenience plays a predominant role in our decision making. People will pay more or take on higher risk for the convenience of a product. For example, Uber suffered a data breach in 2015. Ridership has largely continued to grow at a steady pace even though there have also been organizational scandals to contribute to reputation loss. The convenience of the product outweighs the risk for its customers.
Alternatives, or lack of alternatives, can largely prevent reputation loss. When there are limited alternatives to using a product, then lack of consumer choice will ensure that a company continues to thrive. A good example of this is utility providers. In my area, there is only one choice of electric provider for my home. I struggle to find a situation where I would give up electricity because I don’t want to deal with that utility provider.
Timing is everything, and no more important than during any kind of negotiation. Whether merger, acquisition, or strategic partnership development, any incident that occurs can have a major effect. As there is no time for a long term rebound, incidents reported during negotiations can potentially be catastrophic. Verizon was in talks with Yahoo when news of its second (and bigger) hack was released. This greatly affected the price that Verizon was willing to pay. Also, a report about the insecurity of St. Jude Medical Inc pacemakers disrupted an acquisition by Abbott Labs.
The business model also cannot be ignored when evaluating reputational risk. A business-to-consumer model will have a vastly different effect than a business-to-business model. As a customer or a partner, a business will view the incident in a very different perspective than an individual consumer. When looking at reputation, ensure you put yourself into the shoes of key partners or key consumers and assess how they would respond.
Evaluate the relationship between incident and the product. If the incident directly compromises the service or product, then reputation is at far higher risk. For example, in the last year, multiple cryptocurrency exchanges have been hacked and lost millions of dollars. Because the business product is compromised, the consumer base will dwindle. The same would be true of traditional banks. While the banks are insured, protection of the money is the first priority for both the consumer and the bank.
In the end, the most important component of long term reputational risk is the value of the product or service. However, in determining value, one must understand the factors that drive value up or down, which go way beyond the immediate effect of a cyber security incident. If presenting reputational risk to your BOD, ensure you collaborate with colleagues across the organization to get the full picture.