reputation in the age of state-sponsored attacks | New
The Russian-Ukrainian conflict has increased the risk of cyber breaches globally. The war is fought with both boots on the ground and attacks in cyberspace.
A vehicle for disruption, cyberattacks have taken the form of state-sponsored attacks by Russians, or so-called “hacktivist” groups pooling resources and targeting entities in Russia and Belarus, against groups traditional cyber threats seeking a piece of the action.
Attacks have increased in frequency and intensity, spreading into other areas and affecting all businesses, from SMBs to medium and large enterprises around the world. Despite the most rigorous cyber protection measures, no company is immune.
While the National Cyber Security Center (NCSC) and other agencies are issuing warnings about increasing attacks and advising on mitigation measures that can be implemented, managing the reputational fallout from being the object of a cyberattack is an aspect that is often overlooked.
Companies can spend years and considerable sums building their brand and reputation only to have it destroyed by a single incident.
The impact on customers
A cyberattack typically involves infiltrating a company’s computer systems, injecting a payload of malware, and encrypting all data and systems without user access. This will have an immediate impact on the ability of the business to operate, ultimately affecting everyone who uses it.
Since rebuilding systems takes anywhere from a week to several months, disruption is guaranteed.
But how will customers react? At first they may be friendly, but that can soon change. What if there was a data breach and the malicious actor exfiltrated their data? How will customers, or those affected, react?
Cyberattacks, and data breaches in particular, pose a huge reputational risk. The main reputational damage factors of a breach are the size of the breach, where it emanates from; and the speed and efficiency with which the company reacts
In addition to incident response and system rebuilding, companies need to be aware of reputational damage and the public relations response to a cyberattack.
Many cyber insurance policies currently on the market cover business interruption costs related to cyber reputation, the typical wording being: “Cyber Reputation Business Income – We will pay for the loss of reputation business income you incur as a result of a breach event or security compromise that begins during the policy period.”
It is also quite common to see policies covering: “Any reduction in revenue and any increase in operating costs resulting from any interruption or interference with business, including any loss of current or future customers caused by damage to your reputation resulting from: 1, Breach of data security; 2. Virus or similar mechanism, hacking or denial of service attack; 3. Cyber extortion.
In effect, this means that any reputational business loss resulting from a cyber incident can be covered by such an insurance policy. But, while the cover may be in place, it can be difficult to establish how far it extends. How are reputational damage and related losses measured?
Measure reputation losses
Reputational losses can include loss of customers, loss of sales and reduced profits. There are additional costs associated with this (commonly referred to as increased labor costs) that prevent or minimize reputation loss.
In simple terms, business interruption losses are generally measured as the difference between expected revenue and actual revenue during the period of interruption or the period of compensation under the policy, less any savings.
In terms of cyber business interruption, and specifically cyber reputation-related business interruption, this can present challenges for both the adjuster/forensic accountant handling the claim and the insured.
What may seem clear to the insured can be incredibly complex, so managing the expectations of the insured is key to the success of any claim.
Businesses will look at sales reductions, customer retention, the likelihood of not being able to fulfill contracts, and the likelihood of losing contracts or opportunities as claimable losses under an insurance policy.
When assessing these losses, the adjuster/forensic accountant will seek historical information for a period of at least three years to track sales and any trends the business may have upwards or downwards. decrease.
The bigger picture
Internal and external factors will also be taken into account and as we emerge from the Covid-19 pandemic it will be necessary to determine whether Covid or other geopolitical factors have affected the business and contributed to any reduction in sales .
Another key factor in measuring these complex losses is carryover: was the customer or sale lost or is it just carried over? Will the customer return once the business is fully operational with a potential increase in sales in the months following the incident?
Reputation damage and loss investigations will include extensive metrics and analysis about the business and industry in which they operate.
Tracking industry trends, and even social media, can provide valuable evidence on whether losses are a direct result of the cyber incident or could be due to other unrelated external factors.
Ultimately, the business will need to prove that the losses it claims are solely due to the cyber event and that the reputational damage is directly related to the attack.
As with any insurance policy, there are various exclusions – for example: regulatory charges or fines; system or process upgrades; contractual penalties; legal fees or expenses arising from liability to third parties; losses before the waiting period under a policy; and losses after the expiration of the compensation period.
Prevention is better than cure
In addition to deploying measures to prevent an attack in the first place, it is necessary to have a business continuity plan in the unfortunate event that it does occur. This should include a public relations strategy outlining how the company will manage and minimize reputational damage.
Who in the company will release readings and handle customer and press inquiries after the incident? Who will review and monitor social media activity? Does the company have this expertise in-house or is it best left to the experts?
Nigel Collins is Technical Lead – Cyber & Technology at Global Loss Adjuster McLarens.