What is the cost of a cyberattack?
The risk of a cyberattack represents above all a financial peril. Indeed, these attacks can cause enormous financial damage to a company. According to the annual study of the insurer Hiscox on the risks of cyberattacks, the median cost of an attack in France amounts to €15,300 in 2021. The figure is up by 29% compared to the year 2020. Several factors explain this relatively high amount.
The financial impact points of a cyberattack for a company
Deloitte experts have tried to measure the real cost of a cyberattack. They managed to identify 14 financial impacts of a cyberattack, divided into two parts. On the one hand, the tip of the iceberg, which consists of direct costs. On the other, the submerged zone, less quantifiable and little known to the public.
The costs relating to the “ emerged area ” affect:
- technical surveys;
- notification to customers of the intrusion
- regulatory compliance;
- lawyer’s fees, legal costs;
- securing post-incident customer data;
- public relations;
- updating and improving security devices.
The costs of the “submerged zone”, less visible, but more lasting, include:
- the increase in insurance premiums;
- the increase in the cost of debt;
- the consequences of the disruption or interruption of activities;
- the drop in turnover linked to the loss of customer contracts;
- the depreciation of the company’s brand value;loss of intellectual property;
- loss of customer confidence.
Ransomware, the most juicy scam for fraudsters
The Hiscox report emphasizes ransomware attacks. According to the study, 19% of French companies suffered a ransom demand in 2021 (+5 points compared to 2020). Two-thirds of them chose to settle the criminals (62%), for fear of permanently losing their computer data.
This method, which seems safe in the eyes of companies, turns out to be vicious. Not only do fraudsters not always deliver the data in exchange, but they feel comforted in their approach. Result: the company risks suffering a second cyberattack with a vertiginous increase in the amount of the ransom. Today, ransom prices can reach millions of euros for large companies.
Financial consequences of a cyberattack: financial losses linked to the company’s activity
The most significant costs relate to losses related to the activity of the company. Indeed, recovering from a cyberattack takes time, whether it is ransomware, data theft or a distributed denial of service (DDoS) attack.
A cyberattack damages data, but also causes – in the worst case – a forced shutdown of all company projects. The longer the attack stretches out in time, the higher the loss of money. In recent years, considerable losses of turnover have multiplied for companies. In 2017, the French group Saint-Gobain announced more than 250 million euros in damage due to a cyberattack perpetrated against a Ukrainian subsidiary.
An effective computer attack completely paralyzes the activities of a company. The amount of damages is difficult to quantify. Downtime interrupts production, lengthens delivery times. Internet sales may be temporarily put on hold. Added to this are the potential missed business opportunities, etc. Finally, the lost data can generate additional working hours – and therefore costs – for the staff and the company, in order to return to normal activity.
Cost of a cyberattack: repair and protection costs
In addition to the financial losses due to the activity, the company may incur expenses to repair and restore the computer system. If the entire company network is affected, then the amount can skyrocket.
Scanning the system to determine the type of hack, the part of the network infected, and the extent of compromised data takes valuable time and significant expense. Then there are the restoration costs and an investment to better protect the company’s computer system. Sometimes, the purchase of new equipment will be necessary.
The legal consequences of cybercrime
Since May 25, 2018, a company must comply with the guidelines of the General Data Protection Regulation (GDPR). If it has not secured its data, thanks in particular to a cybersecurity expert, a company can be held liable to justice. The GDPR has also extended the responsibilities of the company to its subcontractors. Clearly, a company can be held liable if one of its subcontractors neglects the security of its customer data.
In the event of a data leak, the company has the obligation to report it within 72 hours to the Data Protection Authority. In France, the sovereign body is the CNIL.
Failure to comply with this European law or a leak of customer data exposes the company to heavy penalties. These can reach 4% of annual turnover. For its part, the criminal court can sentence the entrepreneur to 5 years’ imprisonment and the company to a fine of 300,000 euros.
Not to mention that customers and suppliers can also demand compensation for non-compliance with the contract. Indeed, data security represents the minimum compensation that a company must pay to its customers. All these legal sanctions are added to the loss of earnings linked to the slowdown in activity.
One in five businesses that suffered an attack said their solvency had been at risk, a 24% increase from 2021 (Hiscox report on cyber risk management).
What are the consequences of a cyberattack on the image and reputation of the company?
A data theft does not only target the company victim of the cyberattack. The operation aims to steal sensitive information such as bank details. Some hackers use the company’s website or server to distribute malware (malicious software) to customers. These maneuvers permanently tarnish the reputation of the company. Indeed, the latter risks losing part of its clientele to the competition, then suffering for a few years from a lack of competitiveness.
The most striking example comes from the United Kingdom, with the telephone operator TalkTalk. In 2015, the company admitted – for the third time – to being the victim of data theft on 150,000 of its subscribers. Moreover, the attack was perpetrated by teenage computer enthusiasts. The latter declared with what simplicity they overrode the security system put in place by the company. Accused of laxity, TalkTalk lost 7% of its customers, or about 300,000 people who canceled their subscription to switch to the competition.
In addition, business partners may fear having scandal associated with their name. As a result, some might break their contracts and turn to competition. Finally, a cyberattack damages the reputation of the company, but also of its employees. With sometimes extreme demotivation among employees, leading to resignations.
In 2021, 6 out of 10 companies attacked had an impact on their business: disruption of production (21%), compromise of information (14%), unavailability of the website, etc. (CESIN annual barometer)