“Almost every type of business today uses technology in some form to generate revenue,” says Giles Taylor, Head of Data and Cyber Security at Lloyds Banking Group. “On the one hand, harnessing technology is really driving us forward as a society, but at the same time, it makes us more vulnerable if something goes wrong. Over the past few years cyber criminals have woken up to this dependency and the volume of attacks and the impact of those attacks has increased dramatically.”
High profile cyber-attacks, such as the NotPetya attack in the Ukraine in 2017 and the Wannacry attack on the NHS have shifted awareness that cyber-attacks are a risk that don’t just impact the IT department, but that can have crippling effects on operations and financials. According to a report from McAfee, in 2017 the estimated cost of cyber-attacks globally was between $450 billion and $600 billion1.
Learning the lessons
It’s against this backdrop that cash flow or liquidity becomes even more important. “One of the key lessons from the financial crisis for businesses in every industry was that short-term liquidity is crucial for survival,” says Llewelyn Mullooly, Director of Working Capital, Lloyds Banking Group.
“That’s why we spend so much time helping our clients understand their working capital, so that they can manage their cash flow more effectively. Cyber-risk and cyber-security, and their financial impact, is just another element in managing your working capital and managing your cash flow. Everyone, whether they’re the owner of a small business or the treasurer of a multinational company, faces the challenge of forecasting their cash flow and managing short-term liquidity risk. Now it’s really important that they include cyber-risks and cyber-security on that agenda.”
Whilst many businesses will have contingency plans in place to manage the impact of traditional crises, such as fire or flood, on their business, a lack of appreciation of the potential scale and scope of a cyber-attack can leave them at significant risk, as Giles points out:
“With say a fire or a flood it’s generally very well understood; you’ve got a passive adversary, so the fire is either burning or it’s not, and the water’s coming up or the water’s going down. With a cyber-attack, the consequences could be much more invasive for your business, and much more destructive. Thinking through what those increased consequences could be and how you cover that over the short term is critical.”
Increased demands on cash
Some of the immediate impacts could include loss of ability to make or receive payments, loss of communication, interruption of your supply chain, paralysis of systems and operations – anything from your email going down to a production line being halted. At the same time, costs start to spiral – forensic costs of understanding, fixing and preventing the issue from happening again, perhaps additional staff to undertake manual processes whilst automated processes recover, or even capital expenditure on interim systems so that normality can resume as quickly as possible.
“With all of that going on, the burden on your cash is really going to increase,” explains Giles. “What businesses also need to remember is that, if you’ve lost your IT systems, you may not be issuing invoices. So, you’ve got all these additional bills to pay, and yet there’s no money coming in. It could be a real challenge for businesses who haven’t planned ahead and who don’t have a cash flow buffer available.
Assessing and managing your risk
So how can you make sure that your business is cash flow fit in the face of a cyber-attack? Contingency planning is obviously important, considering all of the technology touch points for your business and how each will have a financial impact, how long recovery will take and whether your cash reserves are sufficient to cover that.
“Companies of all sizes need to undertake some sort of risk assessment, that involves evaluating the risks that are specific to their industry, and then doing a likelihood and impact assessment,” says Llewelyn.
“Once you’ve done that you can then actively manage those risks by transferring them, avoiding them, or reducing them. Practically, what that means for any company is that the finance or the treasury department needs to work along with IT; they need to be involved in the risk assessment of their financial systems. But, they also need to include all of these scenarios that are specific to their industry – they need to include that in their cash flow forecasting, their scenario analysis, or for larger companies, their liquidity risk strategy.
“Once they understand what the range of impacts are for their specific business, there are a couple of options financially. They can either take out some form of cyber insurance, which is a growing area of insurance as this risk evolves. Or, they have to assess whether they hold enough liquid assets, whether they need to hold additional liquid assets as a buffer for this type of risk so that they’re able to withstand a short-term impact as well as some sort of long-term rebuilding phase of IT systems and reputational damage.”
With the right kind of planning, that takes a holistic view of the potential impact of a cyber-attack, and a carefully thought out approach to your cash flow, you’ll give your business the best chance of responding and recovering from a cyber-attack.
“Companies of all sizes need to undertake some sort of risk assessment, that involves evaluating the risks that are specific to their industry, and then doing a likelihood and impact assessment,” Llewelyn Mullooly, Director of Working Capital, Lloyds Banking Group.