The financial effect of a cyber crisis: The neglected costs senior executives should take into account

Last week, Verizon Visible – the tech giant Verizon subsidiary that offers lower-priced cellular and data plans – experienced a cyberattack. The attacker appears to have used credentials that were leaked in prior data breaches and were available on the dark web. Telecommunication companies have become one of the more popular targets during the heightened pandemic period of criminal cyber activity. Last year, T-Mobile suffered a major data breach as 100 million customer data records were compromised including social security numbers, driver licenses and more.

These massive breaches raise some urgent questions: what would be the recovery costs? How long will it take to manage the crisis? And how many clients will leave as a result of the breach?

Refael Franco (left) and Gil Baram.

Speaking at the Wall Street Journal’s CIO Network Summit in September 2022, Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urged corporate boards to increase companies’ investment in cyber defenses and push management to treat hacking threats as a core business risk.

This call to action is even more urgent in light of the soaring costs of cyberattacks and data breaches, both direct and indirect.

The direct cost of IT downtime is an elusive figure, varying greatly by industry or business size. IBM Security's recent “Cost of a Data Breach Report” places the average cost of a data breach in 2022 at $4.32 million globally, with that figure in the U.S. more than double.

The average ransomware attack carries an ever higher price-tag of $4.54 million in 2022. Although this cost shows a modest decline from 2019, ransomware attacks are growing in numbers and severity, and these trends are expected to continue. Consequently, 60% of organizations studied stated that they increased the price of their services or products after suffering a data breach.

These are only the obvious or immediate direct costs. The full financial damage can be much wider and depends on many factors other than calculating the cost of an hour of terminal shutdown.

For example, the immediate results of the 2017 NotPetya ransomware attack cost the shipping giant Maersk $300 million in losses and disrupted its operations for weeks. The pharmaceutical company Merck, whose ability to manufacture some drugs was temporarily shut down by NotPetya, told shareholders it lost a staggering $870 million due to the attack.

How would an organization’s leadership decide whether to pay ransom fees? What are the alternative costs to shutdown? How long will it take the company to recover and regain full operations? Will customers abandon the company following a cyberattack? How will the crisis affect the company’s stock price?

These are only a few of the questions C-suite and senior leaders need to be asking in order to assess the holistic costs of cyber crisis events and prepare their organizations through adequate defenses and robust business continuity plans. Specifically, they should be examining three additional costs beyond IT downtime.

First, organizational costs. Besides the daily loss of income, leaders must factor in estimated recovery times, the number of workstations affected by the cyberattack, the size of the company or organization, daily/monthly operational costs and overhead such as leasing, property, equipment, and any other fixed costs the organization must pay regardless of its operating status.

Second, reputational costs. In addition to immediate costs, organizations may lose customers who are unable to use services due to the attack and switch to a competitor. To fully assess this risk, executive leaders need to determine how critical their service is to consumers. This means having a clear picture of alternative providers, the competition landscape, and consumer abundance. Additionally, damage to the brand’s reputation can discourage future customers, thereby causing more medium- and long-term costs.

Third, privacy concerns. Crucially, decision makers must take into account the type of information that was leaked or made public, as reputational and legal costs might be even higher in cases where sensitive information was revealed. Organizations might face both regulatory consequences and lawsuits if particularly sensitive personal information was publicized, such as medical records, for example.

A recent survey found that senior executives are mostly only given ad hoc updates, suggesting they may often receive updates only when there is a problem – in other words, too late. Additionally, a typical focus on tech jargon in discussions of cyber threats often shuts them out of meaningful participation, notes an HBR paper from 2019.

C-level leaders of organizations and companies must be part of this ongoing discussion. They need to have timely information and tools in order to calculate the risk, assess investment in cybersecurity, and close the gaps between the two. With more than 12% increase in the cost of breaches since 2020 alone as the IBM report showed, organizations continuing to take a narrow approach to the financial costs of hacking will pay dearly.

Refael Franco is the former Deputy General Director of Israel National Directorate.

Dr. Gil Baram is a cyber strategy and policy expert. She is currently a post-doctoral fellow at the Cyber Escalation Lab, Center for Peace and Security Studies, University of California San Diego.