Calculating financial impact of a cyber attack
Company execs are battling to connect the dots in calculating the risks and financial impact of a cyber attack on an organisation.
This is according to Derek Schraader, risk advisory Africa leader: cyber risk services at Deloitte, speaking at the ITWeb Security Summit 2017 this week.
Traditional approaches to calculating the impact of cyber incidents, he added, have focused largely on the direct costs associated with the theft of personal information (PI).
"Costs associated with the theft of PI do not account for the growing number and severity of incidents that do not necessarily involve the breach of PI. This focus on PI is partly due to the availability of data, but it is also due to a tendency to emphasise the impacts that are visible and easiest to quantify. There are 14 impact factors in the risk and financial estimation processes following a cyber attack," he said.
Among these impact factors are technical investigation, customer breach notification, regulatory compliance, public relations, attorney fees and litigation, loss of intellectual property and operational disruption.
"When doing risk and financial impact assessments, we need to understand all the impact factors of a successful cyber attack. This consists of investigating both the surface impacts, such as the technical investigations and customer breach notifications, and beneath-the-surface impacts, such as value of lost contract revenue and devaluation of trade name. Intangible damages account for over 40% of the total impact," he said.
In situations where intangible assets are at risk, impact can be estimated using generally accepted standard financial measures, damage quantification methodologies, and valuation methods, he continued.
In the incident response lifecycle following an attack, the main concern should be the triage period, he added. This is the phase of impact management and business recovery, which typically stretches for months after an incident has occurred.
"Most of the business attention is typically focused on this stage. Research shows that less than 10% of the impact is related to what is done in the days and weeks following a cyber incident."
There are 14 impact factors in the risk and financial estimation processes following a cyber attack.Derek Schraader, Deloitte
The next phase is the impact management phase, said Schraader. This phase consists of preparing for legal action, regulatory compliance, managing clients, vendor and partner relations.
"After the cyber incident has occurred, the business must go into business discovery stage, where the repercussions are managed," he concluded.