Slideshow 14 ways a cyberattack hits your bottom line

Published
  • June 28 2016, 6:45am EDT
17 Images Total

14 ways a cyberattack hits your bottom line

What is the true cost of a data breach? After analyzing a health plan breach, research firm Deloitte says the toll of cyberattacks is significantly underestimated. The firm in a report cites 14 factors that could have a significant impact on your organization and affect its financial stability.

Above the surface: well-known cyber incident costs

“Above the surface” are many tangible, direct costs. These factors, generally well-understood, include such things as costs to notify customers or provide personal credit protection. They are relatively straightforward to approximate, using a combination of profile information for each company, publicly available data, and cost assumptions derived from industry and market research.

Content Continues Below


Customer breach notifications

Following the breach discovery, the healthcare provider spent six months notifying customers of the event, steps being taken, and potential impacts. This process took six months, at a cost of $10 million (0.6 percent of the total).

Post-breach customer protection

Technical investigation revealed that cyberattackers had gained access to the patient care application using privileged credentials from the stolen laptop and had created a significant number of user IDs. Consequently, before service could be restored, new user accounts had to be issued for all application users, and new application and system controls were put in place. The post-breach protection efforts lasted three years, at a cost of $21 million (1.25 percent of the total).

Regulatory compliance (fines)

Regulatory compliance factors came in the form of HIPAA fines. These amounted to $2 million over a two-year period (0.12 percent of the total).

Content Continues Below


Public relations/crisis communications

As the incident unfolded, impact to reputation and damage to trade name mounted. Lack of confidence in the company’s data protection practices resulted in the loss of customers for approximately three years, as some corporate clients and individual subscribers chose other health plan alternatives. The cost to public relations and communications over the first year was $1 million (0.06 percent of the total).

Attorney fees and litigation

The company faced ongoing scrutiny for its handling of the incident; many months after the breach, their cyber insurance premiums were raised and legal fees accumulated as the company faced identity theft lawsuits. The impact of legal fees continued for five years at a cost of $10 million (0.6 percent of the total).

Cybersecurity improvements

Before service could be restored, new user accounts had to be issued for all application users, and new application and system controls were put in place. The cost of cybersecurity improvements during the first year were $14 million (0.83 percent of the total).

Content Continues Below


Technical investigations

The company shut down physician access to the patient care application and activated its cyber incident response team. The application was kept offline for two weeks while the incident was investigated. The full technical investigation lasted six weeks, at a cost of $1 million (0.06 percent of the total).

Below the surface: hidden or less visible costs

“Beneath the surface,” many of the impacts are intangible and more difficult to quantify, including costs associated with loss of intellectual property (IP) or contracts, credit rating impact, or damage to the value of a trade name. In situations where intangible assets are at risk, the impact can be estimated using generally accepted standard financial measures, damage quantification methodologies and valuation methods. Almost 89 percent of the impact was associated with just three “beneath the surface” impact factors: value of lost contract revenue; devaluation of trade name; and lost value of customer relationships.

Insurance premium increases

The company incurred significant increases in its insurance premiums. These amounted to $40 million over a three-year period (2.38 percent of the total).

Content Continues Below


Increased cost to raise debt

Higher borrowing costs resulted in the delay of a strategic acquisition and, most significantly, the incident forced the company to mitigate reputation damage and member loss by reducing its annual premium increase over a five-year period. The increased cost to raise debt amounted to $60 million (3.57 percent of the total).

Operational disruption or destruction

In the short term, core business functions were disrupted by the shutdown of physician access to the patient care application. While the application was unavailable, physicians and providers relied on less effective and efficient means of receiving medical alerts, increasing risk to patients. Without full access to health insurance coverage information, physicians and providers could not be certain of the financial implications—to both their institution and their patients—associated with the choice of care they provided. Operational disruption cost the healthcare provider $30 million (1.79 percent of the total).

Lost value of customer relationships

The decline in annual revenues related to lost members or customers caused the value of customer relationships to decline by $430 million over a three-year period (25.61 percent of the total).

Content Continues Below


Value of lost contract revenue

In this scenario, contracts were not canceled; however, as the company looked to reduce the damage of the incident, it adjusted the premium increase they had historically charged their members. This resulted in an estimated loss of $830 million over five years (49.43 percent of the total).

Devaluation of trade name

Because of the erosion of revenue, the company’s trade name value decreased, resulting in a $230 million loss over five years (13.7 percent of the total).

Loss of intellectual property (IP)

In this example, Deloitte did not associate a dollar figure loss with intellectual property. It did so in another other example provided in the report, involving a manufacturing company. The total cost of this cyberattack was greater than $1.6 billion over a five-year timeframe.