Annual global cyber losses are expected to reach $6tn by 2021, with cyber security spending set to exceed $1tn cumulative in the five-year period leading up to 2021, according to a report by Aon.
Businesses face financial loss in the form of immediate crisis expenses, regulatory fines, which have increased following the implementation of GDPR, and lost revenue resulting from an attack stopping the business from trading or disrupting core operations.
While the immediate financial costs of a cyber attack can be crippling for a business, Aon suggests that damage to a business’s reputation could be of equal or even greater concern.
The reputational crisis resulting from an attack can erode a company’s market value, destroy brand loyalty, limit companies’ digital transformation efforts and even lead to a downgrade in credit rating.
An effective cyber resilience strategy can help mitigate both immediate and long-term financial losses. A study conducted by Pentland Analytics and Aon found that a company’s preparedness to mitigate reputational risk and its management’s behaviour in the immediate aftermath of a crisis can have a notable impact on short- and long-term share price reaction.
“Some companies still don’t fully understand the impact a cyber attack can have on a business. Understanding the worst-case scenarios and their impact to a business is crucial to developing an effective resilience strategy in which cyber is managed as an enterprise-wide risk across the entire organisation,” said Aon risk consulting & cyber solutions EMEA CEO Onno Janssen.
“The cyber threat is amorphous, and the technology it exploits is advancing at a dizzying pace, so the risk landscape is never going to stand still. The C-suite will have to aim to constantly improve its holistic cyber risk-management strategies to prevent, prepare for, and be able to respond to a cyber crisis. Ultimate responsibility for all risk management efforts resides in the boardroom.”
Aon’s report outlines four steps to building a cyber resilient organisation:
- Take it to the top. Cyber risk management must be an enterprise-wide effort, but accountability needs to sit at the very top of the organisation, with the board understanding the costs and consequences of a cyberattack.
- Unite your business. Cyber risk is not just an IT security issue; it is a threat to the whole enterprise. It calls for a multi-discipline, multi-level response that involves every relevant stakeholder within the business.
- Get ahead of the game. Businesses can no longer rely on bringing in a response team after an attack. Incident-response training is critical in preparing organisations for a cyber attack, and scenario-planning helps to understand operational vulnerabilities and threats.
- Protect your balance sheet. Firms should look at how they are leveraging available risk-transfer opportunities. Cyber insurance can help protect an organisation’s balance sheet by providing a financial pay-out after things have gone wrong and providing pre-loss prevention and post-loss services.
“Counting the cost of a cyber attack is not straightforward. Firms have to understand not only the initial effects of an attack – lost data, crisis expenses and regulatory fines – but also the cost of business interruption and the knock-on consequences of reputational damage. An attack can have financial ramifications for years after the event, and some firms may never recover,” said the report.
“When responding to the threat, there is no one-size-fits-all approach or quick-fix solution.” M