5 minute read 9 Sep. 2020
EY computer desktop working from home

Quantifying the growing risk of a cyber attack

EY Canada
By EY Canada

Multidisciplinary professional services organization

Contributors

Ryan Wilson

5 minute read 9 Sep. 2020
Related topics Cybersecurity Risk Strategy and Transactions
Upvote

Show resources

  • CPA Cybersecurity disclosure report - May 2020 (PDF)

    Download 3 MB

Anticipating the risks, long-term impact and how to quantify losses from a cyberattack is critical to reduce downtime and value loss.

Co-authored by:
Reena Devarajan, Manager, Valuation, Modelling & Economics
Ivy Tse, Vice President, Valuation, Modelling & Economics

Cyberattacks continue to increase in frequency, sophistication and complexity, affecting businesses of all sizes. As workforces move or remain online, the exposure to threats increases exponentially. In fact, two-thirds of Canadian security leaders indicated in the EY 2020 Global Information Security Survey that they have seen an increase in destructive attacks over the last 12 months. These attacks pose a significant threat to the Canadian economy — there are predictions that cyberattacks will cost nearly US$5.2 trillion globally over the next five years.1

While large organizations are often the ones at the centre of notable media discussions, the threat to small and medium-sized businesses is growing rapidly, with this group now representing over 40% of all cyberattacks.1

The following chart published by the Bank of Canada represents cyberattacks in North America by sector and type of threat. It’s evident that different sectors are equally vulnerable to cyber threats. Knowing what to look for and how to prepare, respond and repair is vital to maintain long-term value in today’s business landscape.

Chart 1: Share of total incidents by sector

Source: https://www.bankofcanada.ca/2019/12/staff-analytical-note-2019-32

Source: https://www.bankofcanada.ca/2019/12/staff-analytical-note-2019-32

It’s not difficult to predict a hacker’s ultimate goal — to extract something of value or cause serious harm to an organization for the benefit of another. For businesses, cyberattacks can have a serious financial impact. This can include the loss of tangible and intangible assets, such as trade secrets or other intellectual properties that create significant reputational damage and cause disruption to a company’s operations.

Given that a cyber breach can occur through a growing number of sources, it is becoming increasingly difficult for organizations to predict or anticipate when and how a cyberattacker will cause harm. This growing complexity means that businesses often cannot quantify the financial losses associated with the information that has been compromised during an attack.

Understanding the types of assets that could be affected and the long-term consequences of cyberattacks (and how to quantify the losses) is of paramount importance.

The following are a few of the types of assets that could be at risk of loss:

Asset

Examples

Impact

Intellectual property
  • Trade secrets
  • Research and development

The hacker could sell such information to competitors who can benefit by going into the market with a similar or improved product or service.

Monetary
  • Electronic money and transfers being redirected from the intended recipient

This can result in direct financial loss.

Employee and personnel records
  • Names
  • Social Insurance numbers
  • Contact information

Access to such records can grant authorization to the organization’s bank accounts and credit card data, and draw on the business’s credit and sensitive data, which could result in a risk of losing key employees.

Customer data
  • Customer names and contact information
  • Transaction habits
  • Terms of contractual arrangements

In the hands of competitors, this information can lead to a detrimental loss of competitive advantage. Compromised customer data and privacy may cost a company its reputation and expensive litigation.

Operational data
  • Suppliers and economies of scale
  • Financial forecasts
  • Historical financial information

Information on an organization’s operations, including suppliers of goods and services, economies of scale, operational strategies, budgets, forecasts and historical financial information are all proprietary data that are key to a company’s long-term success.

Reputation and brand image
  • Customer confidence
  • Brand image integrity

Depending on the magnitude of the damage and the time required to repair trust, customers and other stakeholders may lose their confidence in the organization’s integrity and viability. The consequences could lead to a loss of future revenue or profits and affect the company’s prospective value.

Other costs to a company
  • Loss of future lenders’ confidence

Breaches could increase costs of raising future debt, and financial lenders consider a company to be riskier if it has fallen victim to cyberattacks.

Recently introduced cyber insurance policies can help to recover some of these assets, although coverage is still a bit ambiguous. Policies typically cover a loss of revenue or the business’s profits and/or payments to cyber criminals, if applicable. They may also include other costs related to investigation, restoration and public relationship-building.

While it is positive to see policies adapt to the new environment, challenges remain. Recovery of lost revenue or profits is often limited to seven days, and up to three months in some cases. Any potential loss of revenue past the defined indemnity period could be excluded from the insurance proceeds (i.e., the victim companies are left responsible to cover the remaining loss). 

For affected companies, the insurance coverage may not always be sufficient, and quantifying the cost to the organization outside of their coverage can be just as complex as an attack itself.

The victim business may know the source of the attack (e.g., a vendor company with poor cyber infrastructure) and therefore could seek damages for losses sustained outside any available insurance coverage.

An experienced business valuator can help decipher the areas of the business that were most impacted, including:

  • Value of lost customer relationships: Relationships are built over time and include word-of-mouth and referral business. An organization that has experienced a cyberattack may see a reduction in these revenue sources if the magnitude of the business interruption is viewed to have a significant impact on its integrity (how the incident is handled) and the company’s ability to efficiently resolve the problem.
  • Value of lost contract revenue: Beyond immediate revenue and income loss, a company can also be impacted by missing out on future contract opportunities that are not signed or are terminated as a result of the cyber incident. 
  • Value of lost intangible assets: A company could experience a devaluation of its trade name with the loss of names, marks and symbols that customers use to identify its products and services.
  • Value of lost intellectual property: This includes trade secrets, copyrights, investment plans and other confidential and proprietary information that can result in a loss of competitive advantage, future revenues and profits, and negatively affect a company’s long-term viability.

With the chances of experiencing a cyberattack growing by the day, businesses need to have the appropriate tools and measures in place to monitor for threats and mitigate exposure. Every strategy should include post-attack preparation to optimize downtime and help the business recoup assets as quickly as possible to reduce value loss. Understanding the risks and what’s at stake to lose is of paramount importance in today’s business landscape.

For more information on cybersecurity risks and the potential impact on businesses, visit ey.com/en_ca/cybersecurity.

For more information on business valuations and quantification of financial losses, visit ey.com/en_ca/strategy-transactions/valuation-modeling-economics.

How EY can help

Cybersecurity, strategy, risk, compliance and resilience
EY Cybersecurity, strategy, risk, compliance and resilience teams can provide organizations with a clear picture of their current cyber risk posture and capabilities, giving them an informed view of how, where and why to invest in managing their cyber risks.
Read more

Summary

The growing complexity of cyberattacks poses a challenge for businesses to quantify the potential financial loss associated with the information and assets that could be compromised. Understanding the risks to your organization, the type of assets that could be affected and the long-term consequences is paramount to optimize downtime and reduce value loss in the face of a threat.

About this article

EY Canada
By EY Canada

Multidisciplinary professional services organization

Contributors

Ryan Wilson

Related topics Cybersecurity Risk Strategy and Transactions
Upvote