Financial consequences of cyber crime

Cyber crime continues to be a hot topic and it now seems almost inevitable that all businesses will be the victim of a cyber-attack at some point

According to SC Media UK, a leading source of information for cyber security professionals, UK businesses experienced a cyber attack every 50 seconds in the second quarter of 2019.

With the enforcement of the GDPR requirements, being a victim of a cyber attack could be costly. It has recently been announced that British Airways is facing a proposed fine of £183m to be imposed by the Information Commissioner’s Office (ICO) following a data breach in which hackers stole the details of half a million customers. The ICO criticised BA for having poor security arrangements. Further, it appears that the ICO have been busy handing out fines with the Marriott hotel group also facing a fine of £99.2m for failing to undertake sufficient due diligence when the group acquired the Starwood hotels group which ended up being the ‘unlocked back door’ for the hackers to steal customers’ data.

Assuming your business is somewhat smaller than BA or Marriott, you may be reading this and thinking “so what?”. Cyber criminals are out for the big bucks and high publicity – they won’t be interested in anyone other than the largest public companies. Right?

Wrong.  Cyber criminals aren’t daft. They pick the line of least resistance, frequently using smaller suppliers to enter the systems of high profile targets.

But cyber crime is only relevant to companies involved in online retailing isn’t it?

Wrong again. The $150 million cyber attack on US retailer Target arose when criminals accessed Target’s IT infrastructure through the inadequate systems of one of its facilities suppliers. That was almost six years ago but the soft targets represented by small suppliers to large corporates remains an easy way in for cyber criminals.

Blue chip customers are becoming increasingly concerned about the cyber security their suppliers have in place. Some require suppliers to confirm they have adequate measures in place in order to retain contracts.  Even if you still think it’s not relevant to your business it is well worthwhile considering how to minimise cyber risk if only to maximise the chances of keeping your best customer.

If (or should I say when) you are victim to a cyber attack it is important to limit the damage that’s done.  The obvious damage is reputational – always difficult to quantify – but inevitably resulting in lost sales and ultimately lost profits.

financial consequences of cybercrime

But that’s not all.  Following a cyber attack it is quite possible that you may have losses relating to:

  • Incident costs – the cost of consultants to sure up your systems, public relations to try to protect your brand and notifying customers if there has been an incident involving their data.
  • Lost profit on lost sales – sales could be affected for months after the event, not just while your systems are compromised.
  • Drop in profit margins – it may be necessary to drop prices in order to retain customers.
  • Cost of writing off unsold stock – if your products are seasonal and cyber criminals come calling at a bad time this could be a significant cost.
  • Third party claims – your corporate customer claiming their losses from you or claims direct from your own individual customers.
  • Fines – breaches of the GDPR currently carry fines of up to the higher of €10m or 2% of a company’s annual global turnover.
  • Finance costs – additional funding may be required in the aftermath of cyber crime (either to fund extra costs or boost working capital in the event of declining sales).
  • Wasted management time – rarely something that can be readily quantified but the impact of senior management firefighting and taking their eyes off the ball can be long lasting.

Some or all of these losses may be covered by cyber insurance but many small (and some large) businesses do not have any cyber cover. Cyber insurance is an emerging area and the risks that it will cover are by no means standard or guaranteed.

As always, prevention is better than cure, see our blog on preventing cyber crime.

For more information

For more information please contact Jessie King, or call us on:

01483 416232