The massive sums paid out by companies suffering from ransomware attacks attract big headlines. News stories focus on the millions of dollars and the tens of millions of records compromised. But the damage caused by a breach doesn't stop there. In fact, organizations continue to suffer long after a cyberattack has faded from memory.
The recent Cost of a Data Breach Report from IBM analyzed the financial impact of several high-profile data breaches. It turns out that the amount forked over in response to ransom demands may be the tip of the financial iceberg.
Long-Term Cyber Turmoil
When a breach occurs, the impact goes much further and deeper than the specific records or data that were compromised in the act. There will be many fees associated with legal payments, insurance payments, regulatory fines, costs of incident response and recovery, and settlements, noted Mark Bowling, chief information security and risk officer at cybersecurity firm ExtraHop.
"What can be much more expensive, in the long term, is the negative reputational impact that can have unforeseen consequences," he said. "After a public company reports a breach, organizations will inevitably see net income impacted with an average drop in income of 73 percent nine to 12 months after a breach was publicized."
The report found that nearly all organizations analyzed experienced a decline in quarterly earnings and stock prices after a data breach occurred. One company's stock price fell nearly 21 percent the day after the breach was reported, and net income dropped 27 percent year-over-year in that quarter. These losses are in addition to over $1 billion in reported costs, including regulatory fines; legal fees; and multiple settlements with consumers, businesses and states.
"Bad actors are relentless in their efforts to compromise the public and private sectors, leaving organizations of all sizes susceptible to the potential ramifications of a data breach," said Andrew Heighington, chief information security officer and head of IT and privacy at software-as-a-service platform Visit.org. "These threats transcend monetary disruption, leading to the erosion of trust, tarnished reputations and disrupted operations, ultimately jeopardizing the core of a business."
The report details one business where the losses amounted to several billion dollars. In addition to over $1 billion in reported costs, the victim organization's quarterly net income was down year-over-year in seven of the eight quarters after a breach was announced, turning to a net loss at one point. The same company also saw its stock price drop more than 20 percent in the immediate months after the breach.
Another organization experienced a net loss over a year after reporting that hundreds of millions of customer records were breached, on top of almost $200 million in reported costs and insurance payouts. And a German biotech firm cut its revenue estimate for the financial year by $77 million following a ransomware attack which cost the company $27 million to address.
"All profiled companies saw net income drop in consecutive quarters in some capacity," Bowling said.
Mitigating the Impact of a Breach
Most response plans to cyberattacks focus on the technology side as well as the immediate legal responsibilities. IT and security personnel get to work containing the threat, safeguarding the organization from further damage, verifying backup integrity, alerting the FBI and other authorities, negotiating with cyber criminals, and other remediation actions. They instigate forensic examinations of the exact attack vector, where their defenses were penetrated, who was at fault, and look for any further signs of malware hiding in their systems. They determine what they need to do to avoid a breach in the future and what systems or services they need to add to secure the enterprise.
Essential as these actions are, they don't address the knock-on impacts that will be felt in the immediate days and weeks of the aftermath, nor the long-term financial hit that most suffer. What should companies do on the financial side to mitigate these consequences?
Organizations are advised to get ahead of the public relations fallout by being open and proactive. The news will get out there. Efforts to disguise it or water it down are likely to backfire. While those that demonstrate responsibility and honesty won't come out of it unscathed, they are more likely to retain at least some trust in the market. Such an approach is gradually being mandated by regulatory bodies.
The U.S. Securities and Exchange Commission (SEC) has recently become more active and prescriptive in how public companies handle reporting if a breach is material, or has financial impact. In some respects, this represents a positive development as guidelines are in the early stages of determining what must be required after these events occur. There's still plenty of work to do in this regard, but this position by the SEC indicates a step in the right direction.
"After understanding what data is vulnerable, companies should conduct financial forecasting as justification for investing in preventative security measures as opposed to the costs that coincide with the breach itself," Bowling said.
Financial Services Sector Beware
Allie Mellen, an analyst at Forrester Research in Cambridge, Mass., cautioned financial services and insurance firms, in particular, about the aftermath of breaches and their continuing costs. She said these organizations were each breached an average of four times in 2022 and that it took an average of 62 days to eradicate attackers from their networks.
"Financial services and insurance security decision-makers struggled to both eradicate and recover from breaches more than other industries," Mellen said. "Moving to a post-breach mindset requires not only accepting that breaches are a reality but also confronting the data to understand your organization's capabilities."
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.