Executives are still struggling to quantify the potential threat from cybersecurity-induced business interruption and few see themselves as potential targets for nation-state attacks designed for business interruption, a long-time military and consulting security expert has warned as new research emerges suggesting that a data breach typically cuts a company’s share price by 5 percent.
The challenges of quantifying cybersecurity exposure come from the wide variability in potential business impacts and the broad range of attack types that can affect organisations. This makes it hard to proactively evaluate the potential risk of a cybersecurity breach – and that, former FBI cybersecurity specialist Reid Sawyer told CSO Australia, has historically made it too easy for executives to ignore.
“Cyber risk is amorphous in many ways,” said Sawyer, who now works as senior vice president of credit, political, and security risks with specialist insurance broker JLT Specialty. “What we’re not necessarily accounting for when we view it as a single risk is how it cascades across the rest of the organisation, and how that creates lost business opportunities.”
Much of his current consulting work is designed around “helping clients translate this to financial measures. Once you understand that, you can have a better conversation with the COO. It’s all about thinking of cyber risk in terms of earnings per share or stock price valuations and impact, then connecting that back with integration across the technical sphere.”
Executives looking for a way to translate cybersecurity breaches into financial measures have recently been given a few highly compelling data points. A recent Ponemon Institute-Centrify analysis of 113 global companies found that their share prices dropped by an average of 5 percent on the day a data breach was disclosed.
More worrying in the long term were figures suggesting that those companies lost as much as 7 percent of their customers after the breach – but that’s only the beginning. Fully one in 3 Australian consumers impacted by a data breach reported that they had discontinued their relationship with that organisation, Centrify noted.
As well as the potential loss of customers, the direct impact on a company’s share price – or the hit to a takeover price, as Yahoo learned after acquirer Verizon knocked off $US350m ($A440m) from Yahoo’s price after a massive data breach – is the kind of metric that board members can’t help but understand.
This month, credit-reporting giant Equifax saw shares drop 13 percent the day it announced a massive data breach involving data on 143 million customers could take years and cost upwards of $US300m ($A377m) in gross costs to resolve.
Other major companies, such as Merck, Fedex, Maersk, and Cadbury parent company Mondelez, have warned of material impacts due to recent infections from the Petya malware worm – whose malicious design had many suspecting it was actually designed as a form of industrial sabotage.
Interrupting key industries is a tactic straight out of the nation-state playbook and may indicate an escalation in cyberwar strategies that many companies simply haven’t considered, Sawyer said.
“It is an absolutely underappreciated dimension of the threat vendors are facing today,” Sayer said. “Nation-state actors are not only pursuing cyber as an asymmetric weapon, but also have as their goal the economic disruption of other states and disruption of their economic capacity, along with the more traditional nation-state activity of value extraction of the firms they’re targeting.”
Many CISOs were talking about nation-state attacks in broad terms “but at the C-suite it’s a different conversation to think about assets being targeted by foreign intelligence assets.”
Executives needed to look inward to head off such potential attacks by identifying and securing critical operational systems and information assets – which might include financial or utility infrastructure, databases of sensitive information, or systems supporting large-scale logistical or procurement processes.
“The biggest surprise is understanding this at a different level,” Sawyer explained, noting that boards must understand “how different risks converge in an organisation, and how cyber can present a strategic or material harm in different ways they haven’t thought of. In most organisations this process belongs to the CISO – but cyber risk really belongs to the COO and CFO.”