Recently introduced cyber insurance policies can help to recover some of these assets, although coverage is still a bit ambiguous. Policies typically cover a loss of revenue or the business’s profits and/or payments to cyber criminals, if applicable. They may also include other costs related to investigation, restoration and public relationship-building.
While it is positive to see policies adapt to the new environment, challenges remain. Recovery of lost revenue or profits is often limited to seven days, and up to three months in some cases. Any potential loss of revenue past the defined indemnity period could be excluded from the insurance proceeds (i.e., the victim companies are left responsible to cover the remaining loss).
For affected companies, the insurance coverage may not always be sufficient, and quantifying the cost to the organization outside of their coverage can be just as complex as an attack itself.
The victim business may know the source of the attack (e.g., a vendor company with poor cyber infrastructure) and therefore could seek damages for losses sustained outside any available insurance coverage.
An experienced business valuator can help decipher the areas of the business that were most impacted, including:
- Value of lost customer relationships: Relationships are built over time and include word-of-mouth and referral business. An organization that has experienced a cyberattack may see a reduction in these revenue sources if the magnitude of the business interruption is viewed to have a significant impact on its integrity (how the incident is handled) and the company’s ability to efficiently resolve the problem.
- Value of lost contract revenue: Beyond immediate revenue and income loss, a company can also be impacted by missing out on future contract opportunities that are not signed or are terminated as a result of the cyber incident.
- Value of lost intangible assets: A company could experience a devaluation of its trade name with the loss of names, marks and symbols that customers use to identify its products and services.
- Value of lost intellectual property: This includes trade secrets, copyrights, investment plans and other confidential and proprietary information that can result in a loss of competitive advantage, future revenues and profits, and negatively affect a company’s long-term viability.
With the chances of experiencing a cyberattack growing by the day, businesses need to have the appropriate tools and measures in place to monitor for threats and mitigate exposure. Every strategy should include post-attack preparation to optimize downtime and help the business recoup assets as quickly as possible to reduce value loss. Understanding the risks and what’s at stake to lose is of paramount importance in today’s business landscape.
For more information on cybersecurity risks and the potential impact on businesses, visit ey.com/en_ca/cybersecurity.
For more information on business valuations and quantification of financial losses, visit ey.com/en_ca/strategy-transactions/valuation-modeling-economics.