The Cost of a Data Breach
Risk analysis involves developing an understanding of the risk and provides an input to risk evaluation and decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Unfortunately, many risk officers often do not understand the loss scalability of a data breach. BBC wrote in an article about Equinix breach, that there are hidden costs of the breach that no one has gotten near to quantifying so far, and there is a reason for that.
Calculating a total loss due to a data breach is not an easy matter. Especially in industries that make ICT as a driver or as a core in their business. This is because so many things are connected to ICT that a cyber incident does not only damage one part of the system, but also have implications for a wider one. Some of them are not physical matters, such as the company’s reputation, brand value, public trust, cost of time, and psychological stress of organization members.
So, how do we calculate the cost of a data breach? First thing first, you must understand your business and its dependency on the ICT system.
ICT is positioned differently in different organizations and industries, as supporters, enablers, drivers, or transformers. ICT as a business supporter means they support the organization’s operations so that it will be faster, more accurate, and easier to handle which will ultimately increase operational efficiency. ICT as a business enabler is on a higher level, they become a problem solution and the organization is more depend on it. ICT as a business driver requires organizations to be a pioneer in technological development and make the best use of its mastery to win the competition. Meanwhile, ICT as a business transformer occurs when they are used to change business and organizational models to become more unique and unmatched by competitors. The higher the level of dependency, the higher the risk of a data breach.
How do we know the level of ICT dependency on our business?
Some industries are easier to determine, especially when there are strict regulations for managing the ICT risk, but some don’t. Management must assess their business model and business process to find it. If there are several applications act as decision support systems that manage large information from various data sources that will not possible to be operated manually, or critical applications that can eliminate huge revenue if they are terminated, or applications that relate to personal data with a high risk of large fines if we failed to protect, then ICT is placed as a business enabler or even as a business driver. And if your security budget still below 10% of total the ICT budget, the management (probably) still does not understand the risk of a data breach.
Thus, how do we calculate the cost of a data breach? We must understand that there are direct costs and indirect costs, but sometimes we must consider a society costs when the incident is becoming worse.
Direct costs are easy to determine. It can be divided into several parts: direct damage to equipment and system, legal costs, direct losses, potential losses, operation losses, opportunity losses, and crisis management costs.
Costs incurred due to damage to the device are calculated from two major components: the cost of replacing the device or system and additional man-days that must be incurred to carry out procurement, re-installation, and operation until the system runs as before. An example of what happened during the Stuxnet attack on the Iran Nuclear Power Plant which caused damage to the main reactor, led to unusually high repairing and replacement cost with a halt of operation for months or even years.
Meanwhile, if the device does not fail, it must be repaired to restore its function, also incurring costs outside the budget for organic man-days and consultants to improve the security system. The case of defacing did not damage the system much but became an expensive lesson for security officers in managing vulnerabilities, updating, and patching for all systems.
Legal costs are immediately visible costs, especially when the rules and regulations are already established. Right now, cybersecurity and personal data protection in Indonesia, for example, is still not in the form of a law where the violation poses a substantial risk of fines. Violations of the ITE Law are in the form of criminal acts with imprisonment. Other legal risks are claims from customers and/or third parties due to losses suffered. The most famous example is the Analytica Cambridge case that includes Facebook subject to fines throughout history.
Direct losses occur when money is stolen as is the case at the bank. Generally, money theft case that is not customers’ fault is the bank’s responsibility to replace it. Another case is ransom that must be paid for ransomware attack. In this year only, there are almost 100 ransomware attacks to municipalities in the US that cost the cities more than USD 1 million because they do not have any backup or it would be more expensive to restore the system than to pay the ransom.
Potential loss cannot directly be calculated because it depends on potential value of stolen data. If they stole company data, the loss is calculated based on the value of the data. If the data is a trade confidential data, of course the value will be very meaningful because it is the key to win the competition. If they stole customer’s data, the value depends of the data type. It will be a huge problem to lose credit card information, privacy data, and social security numbers, especially on US or EU customers.
Operational losses occur when an operation is terminated but the costs are still running. Cyber-attacks that stop an online trading site for example, would stop their revenue stream. Meanwhile, bandwidth costs, equipment and work equipment leases, network leases, data center leases, employee costs, are still there. In extreme cases, victims are forced to reduce operational losses by laying off some of their employees temporarily because dismissal costs are often higher.
The opportunity lost here occurs if the routine income per time is known. Stopping the operation of a stock market, for example, is a detrimental effect because there is a transaction in every second. However, we cannot calculate the exact loss because it is never known for certain whether trading on that day will be higher or lower than before.
Another form of loss often missed to calculate are the costs of communication, public relations, and the media to overcome the crisis and restore reputation. The value from these activities is often not recorded and absorbed by the public relations budget, even though the cost might not be within their budget plan. This extra cost will be higher especially if the victim has a high reputation. As an example, the costs incurred by the biggest cellular provider in Indonesia to solve technical problems due to defacing attack, maybe very small compared to the costs incurred by their public relations to restore its reputation.
Indirect and Society Cost
These costs are more difficult to determine, but everybody in the organization will still feel it long after the incident. Loss of public trust is somehow can be immediately shown on stock price. The regulator will have some sort of ‘alarm’ remembering the incident when they have a meeting even after a long period of time. The incident will raise some risk awareness for potential customers and key-partners as they are concerned about their data. It all makes a harder job for each organization member to increase and share their confident feeling after the incident, more so the security budget must be raised to coup effects and maybe it will inhibit their growth strategy because of unplanned budget.
An academic research introduced the calculation of spill-over loss in a data breach. It turns out that related industries get a greater total loss than the victims themselves. They found that non-breached peers experience significant negative equity returns around the announcement of a data breach in their industry, together with a material increase in audit fees during the year of the infraction. They also documented significantly negative equity returns for insurers with material cybersecurity exposure.
This is understandable, as a data breach is like a shameful thing and as far as possible must be handled before everybody knows. However, it is actually not a responsible thing to do. All data protection regulations (especially data privacy) require the organization to inform regulators, law enforcements, and data owners about the breach to minimalize stolen data abuse and lesson learned for others. The cost, loss, and the burden borne by industry are risks that must be mitigated.
What if the attack is more than a data theft? What if the attack is for destroying the operation capabilities of critical infrastructure? There will be a catastrophe if electricity down for hours, telecommunication jammed, fuel stop flowing, food and medicine supply is running low. It is the highest level of risk imaginable and risk officers must think far ahead to plan and mitigate the cyber risk.
Indonesian Agency of Cyber and Crypto has already put the occupation of Cyber Risk Analyst on their Cybersecurity Occupation Map and specifies the competencies description for it. The occupation level is quite high, just below CISO, to accommodate its strategic level as a bridge of technical-management-business-operation and to ensure business continuity management is in the right place. In the era of the digital world, lies uncertainty and risk to manage. Therefore, a better mitigation plan is needed.
About the author:
Ir. Satriyo Wibowo, MBA, M.H., IPM, CERG, CCISO is secretary of Indonesia Cyber Security Forum and acts as a risk management and cybersecurity advisor on various governments and business organizations. His multi-discipline academic background from technical, business administration, and law with professional certification on engineering, risk, and security governance, help him to understand a broad range of industries, especially on ICT, internet, and electricity sector. Recently, he was invited by the US Government via the International Visitor Leadership Program to discuss cybersecurity policy development and implementation with 27 institution representatives on 13 cities of 7 States.