How a Cyberattack Could Effect Your Company's Bottom Line
According to every relevant study and industry source — cybercrime has been on a meteoric rise in the past couple of years. Throughout 2021, the approximate global cost of cyberattacks has risen to over $5 trillion.
But aside from that huge lump sum itself, it’s perhaps even more important to see how the rise of cybercrime impacts modern businesses. All around the world, companies are expanding their cybersecurity budgets to lower the risks and expenses associated with cybercrime.
This is understandable, as every potential data breach can cost a company millions. And while businesses can easily quantify the direct losses resulting from a breach — cyberattacks can negatively impact a company’s bottom line in various other indirect ways as well.
Some businesses never completely recover from a cyber-attack, even after they deal with its immediate implications of it. With that in mind, we’ll explore all the obvious — and less obvious — ways a company might be affected by a cyberattack.
Damaged Investor and Shareholder Relations
Unfortunately, even proactive preventative measures and security postures still can’t 100% guarantee you won’t suffer a cyberattack. Cybercriminals are evolving as fast as the security companies, government agencies, and other organizations fighting against them.
Plus, some businesses in certain industries are more attractive (or more vulnerable) to cyberattacks. Usually, shareholders and investors are aware of such risks beforehand. But even if a potential attack is a cost of doing business in some industries, when it does happen, the company’s value still drops precipitously.
Not all investors are equally ready to stand by a company after a devastating blow to their cybersecurity. And negative press that almost always gets the “sell now” bandwagon rolling isn’t helping either. This is particularly true when it comes to smaller businesses, which may not have the brand recognition or robust corporate structure to rely on in the event of an attack.
Some estimates show that, even 5 years ago, over 80% of all business assets were kept in a digital format. Half a decade later, it’s no surprise that market prices are directly tied to a company’s cybersecurity capabilities & perception — we’re even more digital now than we were then.
Inevitably, shareholders and investors are looking for investment opportunities where their money will be kept safe — and that perception isn’t solely about how the company is managed, or the business decisions its executives make.
Today, the bad press that follows even a small data breach is seen as a red flag. And larger cyberattacks can cripple the public’s trust in the company. Of course, this is only a short-term issue for most companies — but if the company is small enough and the short-term blowback is big enough, the company can be weakened severely in the long run as well.
Naturally, there are plenty of examples where the damage wasn’t ultimately irreversible. For instance, LinkedIn managed to recover fully from a data breach that saw them lose over 115 million user passwords. That was six years ago, and they’re still the biggest professional networking site on the planet.
However, not everyone’s market position is as sturdy as LinkedIn’s. Yahoo has experienced three significant data breaches in the past half-decade, resulting in almost two billion compromised accounts. And when Verizon acquired them in 2017, the telecom giant was able to acquire them for $4 billion less[TS1] than the initial offer before the attacks.
Obviously, there’s always a place for crisis management. But while it can be effective, that’s only true if you’re able to use it. Unfortunately, a huge number of businesses just don’t have the market share, resources, and public confidence to recover after a particularly nasty data breach.
According to a global study funded by IBM Security, the average expenses of a data breach are steadily rising — and they’re already in the millions. While the average breach cost businesses around $3.85 million just two years ago, that number rose by 7% over the course of 2021.
And the loss of valuable data doesn’t just rack up bills for added security measures and the initial data recovery. There are other costs — such as penalties, potential fines, and even litigation that a business might face due to their lacking security.
Five years ago, Target had to agree to an $18 million settlement due to a huge data breach that happened almost a decade ago. And that’s just the tip of the iceberg — ultimately, company spokespeople claimed that the overall cost of the cyberattack amounted to over $200 million.
You may have noticed a pattern here — the biggest percentage of stolen records are usually those that contain customer data. Apart from the more obvious expenses we’ve already mentioned, that means any data loss to malicious hackers also erodes customers’ confidence in the company and its ability to keep their sensitive financial information safe from wrongdoers.
When hackers steal a company’s own data, that’s a significant red flag for both the investors and the public — but it’s an even bigger issue if it loses customer data. That’s an entirely different ballgame, for logical reasons.
In the age of the Internet, identity theft has become a bigger consumer issue than ever before. While a huge portion of the FinTech market is dedicated to facilitating secure transactions over the Internet, breaches still happen — making customers particularly sensitive to the mishandling of their personal information.
If a company shows that it’s not trustworthy when it comes to data security, customers will understandably be less inclined to spend their hard-earned money with them. And that leads us to the next big way cyberattacks affect a company’s bottom line: the damage to its brand identity.
Loss Of Reputation
In the aftermath of a cyberattack, companies lose more than customers and valuable digital assets. They also lose potential new customers they might have otherwise gained down the line.
Remember, a company’s brand is important for a reason — it extends into every aspect of doing business, including, crucially, revenue and growth. Lost funds can be recovered and even data can sometimes be restored. However, a brand image is a far more fragile thing. It is built up over decades, and it takes just a single issue to ruin it overnight.
If a customer starts feeling that a company is unable to safeguard their data and, as a result, their financial and personal information — it’s basically game over. Even the biggest brand loyalists who sympathized with the brand for ages will start seeing the company in a completely different light.
In the US, around 85% of consumers are only loyal to companies that have proven to be reliable when it comes to protecting customers’ personal information. And the figure is largely the same throughout the developed world. If your brand is seen as unsafe from a data security perspective, gaining new customers will be even harder than retaining existing ones.
Generally, in economic terms, opportunity costs are production, income, or some other kind of benefit that a company would have otherwise enjoyed if not for some kind of an issue. And the opportunity costs of a cyber incident are quite vast.
In fact, research has shown that opportunity costs make up a substantial part of a cyberattack indirect effect on a company. Some of the biggest opportunity costs are reduced productivity and efficiency, lost sales, and overall business disruption.
These days, any calculation of cybercrime includes such opportunity costs, because lost benefits and foregone opportunities that might have been available if not for the cyberattack add up to quite a lot.
Among other things, these expenses include the additional cybersecurity spending that’s an absolute necessity in the aftermath of a cyberattack. Both in practical and reputational terms, companies need to show that they’re working on establishing a more secure environment after any kind of hack and data breach.
Depending on the size of the company and the nature of the security breach, this can turn out to be quite a costly endeavor.
With all of this in mind, we can conclude there are four types of opportunity costs that stem from a cyberattack:
● Lower R&D (research and development) spending[TS2] .
● Reduced productivity.
● General risk-averse decision-making.
● Higher cybersecurity spending.
Higher cyber-defense spending
This is a common and completely understandable reaction to a cyberattack. That’s why over 40% of companies that experience a data breach, or any kind of hack invest in new cybersecurity software soon after the incident. Also, at least a third of them hire new cybersecurity staff in their IT departments and increase security-related budgets.
All of this adds up to a significant “risk premium” that companies end up paying because of a rise in cybercrime, even before the pandemic. In 2019, the world’s cybersecurity market had a cap of approximately $145 billion. Just four years before, in 2015, it was worth only $112 billion.
Lower tolerance for risk
When thinking about the effect a cyberattack has on a company’s bottom line, we have plenty of indirect expenses to consider. And apart from downtime, business disruption, and lost opportunities, this includes a behavioral change in both individuals and organizations.
After becoming a cybercrime victim, there’s a logical tendency towards eliminating risk-averse behavior — especially considering the accompanying financial impact and the personal data exposure.
On a personal level, victims feel angry, annoyed, and even ashamed — sometimes leading to a visible decrease in engagement. And on an organizational level, key decision-makers in organizations struck by a data breach often shy away from any bolder initiatives or investments for the foreseeable future.
If such actions might have brought value to the company despite the calculated risk, this is another opportunity cost to consider.
Interestingly enough, the COVID-19 pandemic has simultaneously resulted in more cybercrime and people’s lower reluctance to engage with others online. The resulting social distancing measures have made it practically impossible to maintain social and professional contact without entering cyberspace for many people, despite growing concerns over cybersecurity.
However, this has also led to a rise in public concern and outcry over data privacy issues, particularly in Europe and North America. It seems that the privacy compromises that people make due to their online activity have become a more seminal topic of social discussion.
As a result, there has been a growing demand for increased regulation of how organizations can handle user data. It’s also worth pointing out that, even though most organizations who suffer a cyber-attack claim that they were victims of “highly sophisticated” criminal tactics — ultimately, most of them turn out to have been struggling with some pretty basic vulnerabilities and a failure to use the best practices in cybersecurity.
Any kind of IT incident can result in downtime — especially a security incident. In practical terms, downtime means that certain (or all) systems and technology won’t be usable at their regular functionality levels.
In this day and age, even temporarily restricting access to some technology systems can have a substantial effect on organizations. Whether it’s a system having to be reset due to an intrusion or ransomware actively preventing system access in an organization — downtime is a big deal, affecting both consumers and staff members who need the system for their regular daily duties.
In any organization, downtime can have a varying financial impact depending on the department. Naturally, engineering departments have the biggest losses — sometimes up to a million dollars — while human resources departments tend to suffer minimal financial damage.
These higher costs suffered by engineering come from their need to access certain software and files in their day-to-day business operations. On average, a hack turns out to be ten times costlier for an engineering department than for its HR equivalent.
As you might have expected, longer downtime means more financial damage. In the US, the average cost companies experienced as a result of their longest downtimes was over $760,000 in 2019.
Also, larger organizations and companies have higher downtime expenses. For instance, corporations with over 5,000 employees have reported damages almost double of those experienced by smaller companies with up to 3,000 staff members
And if you’re wondering if all of that downtime is the result of cybersecurity issues — it’s not all, but it is around 70 percent. When a cybersecurity breach is the cause, downtime lasts around a day on average, or less.
However, there are some notable exceptions. For instance, the latest cybersecurity attack against Avon resulted in the company not having access to its systems for almost a month. And considering the company’s global reach, it’s no wonder that the cyber attack managed to disrupt operations in Argentina, the United Kingdom, Poland, Brazil, and Romania.
The attack was most severe on the company’s backend systems, resulting in customers not being able to place online orders, while simultaneously preventing workers from accessing key documents and systems.
Seeing as this attack happened right in the midst of the pandemic, the overall financial impact of the cybersecurity breach won’t be easy to determine. But, considering the fact that downtime can result in lost revenue even when it lasts a day, this kind of month-long hiatus will likely be extremely costly.
A similar thing happened to a Norwegian manufacturing company called Norsk Hydro. With their digitally-connected operations in about 40 world countries, it’s no wonder that a ransomware attack at the start of the pandemic hit them hard. By some media estimates, the attack might have cost them in excess of $70 million — considering that it halted operations in multiple countries and severely limited their production capacity for a while.
Also, the company reported that they were only ready to resume operations in November 2019 — almost a year after the cyber attack took place.
On average, downtime results in organizations losing around nine work hours. And if that sounds like it’s not such a big deal, keep in mind that even an hour can be quite valuable, depending on the company.
For instance, a ransomware attack produced around 10 days of downtime for Maersk, the Danish shipping and logistics company that deals with around a fifth of the world’s shipping. The damage to their business was somewhere along the lines of three billion dollars. And because of that company’s embeddedness in the world’s shipping network, other companies were also affected.
As a result, FedEx lost around $300 million when its European operations were disrupted. And unraveling the precise losses due to equipment reinstallation and lost deliveries is nigh impossible. A company whose ships entered ports with tens of thousands of containers every 15 minutes was left without crucial IT support for 10 days — it’s only logical that the damage would be astounding.
However, Maersk is also an example of the other consequences of cyberattacks — after the NotPetya ransomware incident, they have heavily invested in cybersecurity, which is now, ironically, one of their most significant competitive advantages.
We’ve already mentioned that brand damage is a critical aspect of any cyberattack — but what does this reputational cost look like in practice?
The costs of building media relations back up, hiring new employers, retaining current ones, and rehabilitating the brand are all connected to the reputational damage suffered in the wake of a cyberattack.
At the end of the day, reputation is just another word for perception — but when that perception is one of negligence and data privacy policies that leave a lot to be desired, customers can quickly be turned away from a business.
Because of this, the way organizations respond can be a huge deciding factor in how well they’ll be able to maintain consumer trust. In the past couple of years, the awareness of the importance of data privacy and proper data governance has risen among consumers. As a result, they care more about how their data is used, and their expectations on data protection are higher than ever.
As a result, a lot of companies have resorted to withholding information from customers and other key stakeholders for the sake of crisis management and maintaining trust. In fact, less than a third of all organizations that experience a security incident transparently share information on it with customers or clients.
While this may reduce the immediate costs of a cyberattack, such practices definitely erode the public’s trust even more in the long run.
Intellectual Property Theft
For many companies, intellectual property theft represents a huge chunk of their costs resulting from a cyber attack. There are several means through which malicious actors accomplish IP theft — including targeting specific companies, clandestine efforts, business espionage, etc.
Sometimes, a successful attack doesn’t necessarily result in direct expenses if the perpetrators don’t actually succeed in capitalizing on the stolen IP. However, unfortunately, that’s not the only way an IP theft can hurt a company’s bottom line.
The impact a cybersecurity incident may have on revenue streams can lead to lower R&D budgets, as well as a significant loss of capital if investors conclude that the company had insufficiently protected their intellectual property.
Incident Response Costs
For the average organization, about 20 hours pass between an incident being discovered to its remediation. In this period, companies attempt to retrieve lost data, remove any threats from their systems, and generally restore their IT systems to regular capacity.
However, there are some cases where an incident’s nature means it can’t be considered remediated until its source has been identified and measures have been undertaken to prevent it from happening again in the future. Frequently, it takes teams of professionals — eight, on average — to find and respond to a cyber security threat.
This is a costly process in and of itself — but it can include other hidden costs, depending on the nature of the threat. If client data has been stolen, for instance, victims may need to be provided some kind of compensation or protection service; sometimes including company-sponsored fraud alert and credit monitoring services, or reimbursement for any specific losses.
In 2020, for instance, the world-renowned Marriott chain of hotels had to create a special call center for client concerns, after suffering its second data breach in as many years. Two years ago, they offered free access to fraud detection and credit monitoring programs to their customers as a result of the hotel’s negligence with their personal data.
Perhaps the most famous example of this was the Equifax data breach in 2017 when one of the biggest credit reporting companies in the world exposed the sensitive information of around 150 million people. The breach resulted in a lawsuit from the FTC (Federal Trade Commission) and the Consumer Financial Protection Bureau — by the end, Equifax had to agree to a $425 million settlement and additional benefits paid out to people directly affected by the cyberattack. Plus, all US-based Equifax customers became eligible for seven free credit reports with the company, every year until 2026.
Larger companies may have the means to handle a cyber-attack in-house — however, during major incidents even they may require the help of outside consultants. Naturally, they charge extremely high rates, frequently forming a sizable part of the overall cost of the incident.
In reality, most companies that experience a cyber attack hire third-party support — typically cybersecurity organizations with response teams prepared to assist with containment, remediation, and recovery. Also, sometimes, outside consultants are hired for public relations assistance and/or legal assistance.
As you can see, cyber threats can vary wildly in scale and, consequently, cost. They range from smaller attempts that can be handled by in-house staff, to colossal breaches that require a much larger response.
In the latter case, companies typically must employ a coordinated response involving leadership at all levels of the organization, public relations specialists, lawyers, and cyber experts. Many of these are brought on as external consultants — and as cyberattacks have increased in intensity and frequency, the cyber experts have become more valuable consultants.
If we go back to the Maersk example, we can see that they’ve hired over 200 outside staff from consulting firms to help them manage the crisis and their response. And this number isn’t unprecedented — consulting firms that provide such services often have cyber units with thousands of employees. This is also a good indicator of the expansion of the market.
In most cases, there aren’t many public reports on the sums paid to these consulting firms — though companies frequently admit that their fees are a large component of the overall expenses tied to the incident.
And the rare cases where payments surrounding ransomware were made public corroborate this. For example, the NHS of the United Kingdom paid over £70 million on cybersecurity support after the May 2017 ransomware attack.
As you can see, the direct dollar cost of a cyberattack is merely the cherry on top of the proverbial cake of the expenses that stem from a cybersecurity breach. Brands and businesses are often left with decimated reputations, and their companies’ long-term viability is often called into question.
This fact means that being proactive in preparing for the next cybersecurity threat is paramount for companies, both big and small. Strong protection and active safeguards need to be in place for the next attempt at a cyberattack, which will almost inevitably come.
In the modern, digital world, this is nothing more than the cost of doing business. And that’s why companies will need to keep investing in preemptive and prevention cybersecurity measures — regardless of their cost, they’ll likely be more affordable than the alternative, which is dealing with the fallout of a cyberattack after the fact.