Dan Trueman, of Novae, takes an alphabetised look at reputational risk
Cyber security and cyber attacks are topics dominating the news and business agendas. Even before the WannaCry event, UK CEOs recently rated cyber risk as the second most significant business threat they face; 97% of those surveyed by PwC said their organisation is addressing cyber breaches affecting business information or critical systems. This has become an executive-level concern and while it is positive that organisations are taking cyber security seriously, reviewing their IT infrastructure and implementing improved cyber hygiene, they also need to consider the impact of a cyber attack from a reputational perspective.
Reputational harm is recognised as the most detrimental risk for businesses yet there are few established products to cover this risk. There are still some areas, such as first-party loss, that are not covered by many existing products. Yet first-party loss resulting from a cyber attack tends to be very high, including drop of share value and declining revenue, so as an industry we need to keep ensuring there is appropriate cover for this risk.
Examining recent hacks highlights the damage that can be caused. TalkTalk suffered a serious data breach in 2015, which led to a record fine of £400,000 from the Information Commissioner's Office, while its share price fell by a third and it lost 100,000 customers. In the US, Sony suffered a cybersecurity breach in 2014, which led to its share price falling by 10%, terabytes of sensitive data being posted on Pastebin, the unauthorised release of a film and its CEO Amy Pascal being fired. Lastly, one of the largest data breaches in history was suffered by Target in 2013, following which its share price fell 46%, its profit plunged in the following quarter and the CEO lost his job. What is often of most concern is that many of these large-scale exploits use known vulnerabilities and are not unfamiliar zero-day attacks.
NEGATIVE IMPACT
Reputation is one of the most valuable and vulnerable assets a business has because it impacts everything -- revenue, growth, success -- so taking adequate measures to protect it is of paramount importance. The total cost of reputational harm events largely depends on timely and efficient crisis management after the incident, so it is vital that businesses are prepared ahead of an incident occurring. Business leaders should take a proactive approach by implementing a culture of resilience throughout the organisation, testing response plans to ensure they are fit for purpose, and reviewing insurance and risk transfer solutions.
As an industry, we should also be considering how we can best respond to this growing risk. We need to create products that meet clients' requirements in this fast-moving cyber landscape, products that protect their assets, both tangible and intangible. Cyber is only one of the potential triggers for reputational harm so it might be feasible to provide more comprehensive products that cover broader triggers such as product recall. This is the time for us to collaborate as an industry; we need to innovate and demonstrate the entrepreneurial ability of the market we operate in to ensure we provide cover that clients truly need.
KNOWING YOUR A-Z
A -- attacks
B -- breaches
C -- crisis management
D -- data
E -- executive-level
F -- first-party
G -- growing
H -- hygiene
I -- implementing
J -- job
K -- keep
L -- landscape
M -- market
N -- need
O -- office
P -- product
Q -- quarter
R reputation
S -- share
T -- threat
U -- unauthorised
V -- valuable
W -- WannaCry
X -- eXamining
Y -- cYber
A -- zero-day
Dan Trueman is chief innovation officer and head of cyber at Novae