Risk Management and the Value of Cybersecurity
Ulrik Rasmussen
Growth | Sales | Execution | Strategy | SaaS | Retail | Manufacturing | M&A | Finance
NIS2 and DORA are in general both seen as a bureaucratic obstacle.
However for many larger corporations and certainly for financial institutions such as banks, investment groups or crypto companies, the regulations in NIS2 and DORA are simply the least you should do to protect your assets.
Your running systems are a necessity for doing business; that is if you are not so modern that your specific tech stack gives you a strategic advantage, in which case you should protect them even more.
In any Risk Management Strategy the value of cybersecurity should be estimated. This value can be attributed to saved costs of a cyber attack or the avoidance of revenue loss. In the more uncertain areas the competitive value of being better prepared than the competition might also be estimated.
To make a strategy and plan for Risk Management you will need to follow these 6 generic steps. You can add to the steps, however you will at least need to consider each of these:
Here the assessment of the risk will likely be quantified in costs or lost revenue. So both step 2 and 4 will need input from the topics discussed below.
Cybersecurity has a value and is not just a cost?
It has always been hard to establish a business case on security, and so it also goes for cybersecurity. How can one define the value of security, and thereby quantify what constitutes a reasonable investment into this area - it is hard arguing for what is essentially a cost center.
The business case for Cybersecurity will naturally be focused on the cost of a breach, and the value that is thus protected in vital systems and data.
However, there might also be some value in cybersecurity other than just costs, i.e. perhaps a revenue-increasing effect.
Albeit, the cost-perspective will be aligned in areas such as:
The majority lies in the avoidance of loss, i.e. in effect a reduction of costs.
However, there is a competitive effect in branding and image. Not only will you not incur costs of damage from a negative image, you may also gain a branding effect in having a good cybersecurity posture. I.e. taking diligent care of both your customers and your partners in the supply-chain.
The implementation of by example DORA will demand that you go through the operating environment methodically, which may also provide the basis for optimization of systems and procedures, and this may at least secure a more stable operation, and it might even constitute a real improvement.
Elements in any business case should either reduce costs or increase the top line.
Here there are multiple direct as well as indirect effects.
A major indirect effect in cybersecurity will naturally be a reduction of the number of incidents.
Any larger organization will have many cyber attacks, some breaching more than others.?
Having a real reduction in the number of attacks will naturally reduce both the severity of harmfully breaches, as well as reduce the number of them.
This then leads to avoided costs, i.e. a reduction of the costs.
The 5 elements listed above will be detailed in the following.
Restoration and recovery???
IT has become more and more important for running a business, and in many businesses today IT is a cornerstone of their strategic advantage. I.e. the business will use IT to provide uniqueness compared to the competition, or to fit the value proposition closer to a specific market segment.
This creates a dependence, which makes most businesses even more vulnerable to cybersecurity attacks. The costs and damages from such attacks are consequently also ever rising.
One of the most costly consequences of a cyber attack is often the need for restoration of data and systems.
The costs of recovery of data and restoration of a running set of systems will be dependent on a series of factors.
Some of these are:?
The extent of the attack?
The costs will be directly correlated to the size and complexity of the attack, i.e. how much of the organization, data and systems are affected. This will influence both costs for hardware and software.
Type of software and hardware?
The type of software will normally only be affected through the consultancy and internal time used to restore systems, however costs of downtime will be directly proportional.?
Costs for replacing or reconfiguring hardware such as servers, network equipment, laptops and other equipment will also be directly related to the extent of the breach.
Which kind of data is affected?
What are the costs associated with restoring the data, and can all data be recovered.?Some data are a necessity for continuing operation, others are necessary for serving customers properly, such as old orders or invoices, which might not be a necessity for continued operation, but is an expected part of the full offering.
The loss of data will come at a cost, and it might also damage the reputation of the business if it cannot be restored so daily operations cannot continue. Also there will likely be costs associated with the downtime from the time needed to recover the data. This will not only be manpower or external consultancy, but also loss of customers, branding etc. which will be discussed below.
So to summarize, the costs are:
Loss of revenue
All businesses of a certain size are depending on IT for business transactions with their customers. If your IT-systems are not in operation no sales can be conducted, as both the recording of the sales transaction as well as the payment depends on the IT-systems.
Therefore a pervasive cyber attack will result in damage to the revenue of the business. The longer the systems are down the more the damage to revenue.
Not only will the customers buy elsewhere from the time of the attack to the system are restored. There might also be a loss of customers all together, as they do not know when the business is back up again, and they find other sources for their repeat business.
The loss of revenue is?therefore influenced by:
These are costs associated with any kind of downtime, such as electricity being down for long periods of time, or ISPs being down - which is also the goal of NIS2 or DORA to prevent, i.e. to secure any business from the breakdowns from cyber attacks of critical infrastructure.
To summarize the costs are:
领英推荐
Loss of efficiency of operation and innovation?
In any business a continuous effort is exerted towards optimizing processes, resources and costs in order to maximize profitability. In addition a vast amount of time is used devising new ways of doing business, optimizing production, generating new products etc., or simply testing out the new ideas in these areas.
All this work is halted when a cyber attack hits.
Interruption of systems and processes
Any cyber attack will lead to either downtime or at least a vast amount of time used in IT to prevent contamination. Any influence on critical systems will draw attention and manpower away from optimization and innovation, and into securing the running of the core business; and that goes for the whole organization - not only the IT department.
Data
Cyber attacks will lead to the loss of or damage of data, which will have an impact on the efficient running of the business; and this could also potentially stall innovation and optimization from lost experience and having to build new data in order to continue.?
This will lead to increased costs from not optimizing processes, products, and manpower.?
And in addition losses or costs due to non-optimal decisions as data for management to make decisions upon has been lost.
Lastly the prolonged implementation of new or improved products will also come with a loss of revenue and perhaps sustained loss of competitiveness.?
Branding
When a cyber attack hits it can lead to severe damage to the reputation of the company, and in effect it can lead to loss of customer trust and loyalty.
It is evident that a cyber attack that has exposed personal information of customers will lead to a hesitation to continue to do business with the company, and churned customers are thus a real risk.
In addition, as most cyber attacks are spread through the supply chain, the company's suppliers could also be reluctant to do business with the company in the future.
If the attack leads to severe damage that leads to churn of customers and suppliers, then it becomes a story for the media.?
Negative branding from public scrutiny by the media into a cyber attack can lead to damage to the brand value of the company, and this can have severe consequences.
Damage to the brand can lead to loss of revenue from loss of market share, distrust from investors, decrease in share value, and difficulty in recruiting the right people.
These are all costs that are hard to measure, but which have a real impact on the business.
Fines and authority attention
In addition to the direct costs of restoring the operation to business as usual, there are a lot of associated costs of complying with regulations. In both NIS2 and DORA you need to report to the government, and you need to do so many times. You have to explain what has happened, how it could happen, what has been done, and what corrective measures have been taken in order for it not to happen again.?
GDPR, NIS2, DORA, and other regulations will result in severe fines. GDPR can lead to a fine of up to 4% of annual turnover over a maximum of 20 million Euro, and NIS2 by example states 2% of global turnover. However, any company can be sanctioned from these regulations on top of each other, i.e. having to pay a fine both from violations to GDPR and from violations to DORA. This is topped with personal responsibility from management in NIS2 and DORA, and the additional sanctions of being barred from holding management positions in the future.
If the data breached in the cyber attack is used for fraud, identity theft or other activities causing damage to customers or suppliers, then the company can be held liable by the authorities and need to pay restitution.
Even if the authorities do not hold the company liable for third party damages, then customers and suppliers can still take legal actions and win the right to compensation for their losses.?
Costs associated with these elements might be severe, however the cost to the brand and reputation of the company will be even worse. Getting a fine, getting the management barred from management positions or having a lawsuit run against the company will all be costly, but the negative publicity can become life threatening for any corporation.?And in NIS2 and DORA the authorities has the power to make such sanctions for non-compliance public, and also to force the company itself to make it public.
Summary
Cybersecurity is not just a technical issue anymore, it is critical for the business. Hackers see huge potential in breaching security and gaining the value in the business or the reward from ransom.?
Therefore attempts at breaching the cybersecurity of any company is not something infrequent - it happens every day.
Thus cybersecurity cannot just be seen as a cost anymore, it is a vital element in the running of the business. Cybersecurity needs to be dealt with at a strategic level, so that costs from revenue loss, downtime, lost efficiency, reputation etc. can be avoided, and a safe and stable operation can be achieved.?
Having a better cyber security resilience than your competitors is in effect a competitive advantage, and the value of this increases every year.
All these elements described above should be estimated in rough order of magnitude in any Risk Management Strategy in relation to DORA or NIS2.
If you want to learn more visit: