“When you think about cyber risk, you think about someone stealing information, but it’s so much broader than that,” says Llewelyn Mullooly, Director of Working Capital, Lloyds Banking Group. “The financial impact, no matter what business you’re in, can be severe and widespread. If you’re running a coffee shop, for example, and your payment system goes down, it means you’re not able to take card payments. You potentially lose revenue but you’re probably still paying staff and suppliers, so there’s an immediate impact on your cash flow.
“If you’re a manufacturer, a ransomware attack could impact your entire production process, which will have a longer-term impact on your cash flow and business finances. An online retailer whose website goes down will see a loss of revenue and potentially a loss of customer information, which could lead to a fine as well as reputational damage. Whatever sector you’re in, the risks are not just operational and IT, but financial.”
Counting the cost of recovery
The immediate priority for many businesses in the face of a cyber-attack is to get their systems back up and running as quickly as possible. Depending on the complexity of their systems and the nature of the attack, this can take anything from a few hours, to months. During that time, you need to be able to continue to service your existing customers and run customer operations as normally as possible if your business is to survive. Achieving that whilst your IT systems are compromised or paralysed can add a significant burden to your finances.
“That could mean drafting in additional staff to undertake processes manually or even capital expenditure on temporary systems to enable the business to get back to some form of normality,” says Giles Taylor, Head of Data and Cyber Security at Lloyds Banking Group. “The other issue that people may overlook is that, if you’ve lost your IT systems, you may not be issuing invoices. So, you’ve got all these additional bills to pay, and yet there’s no money coming in.”
Longer-term financial impact
Beyond the initial aftermath, the costs of a cyber-attack can continue to escalate, and not just in terms of rebuilding systems. Forensic and associated costs to establish the root cause of an attack and ensure that a similar attack is unlikely to be successful, can be significant. Customer redress or compensation can also add up, as can more indirect costs, such as loss of output or reduced productivity. The Wannacry attack, for example, in 2017, is estimated to have cost the NHS £92m in direct and indirect costs1.
“Regulatory fines can also mount up,” says Giles. “The introduction of the EU General Data Protection Regulation (GDPR), for example, means that firms can be fined up to 4% of their global turnover for breaches of data security, so attacks that compromise customer personal data could be very costly. Other regulators also take a dim view of businesses whose actions or indeed inactions have made them susceptible to a cyber-attack.”
Reputational loss and a decline in customer goodwill can also have an impact across both the short and longer-term and can reduce brand equity as well as sales. If a cyber-attack on a retail business leads to customer loss through leaked credit card details, a manufacturer’s system is compromised and orders delayed, or a coffee shop’s card machine frozen, customers may be forgiven for looking for more reliable alternatives.
Reducing your financial risk
So, what can firms do in the face of an increased risk of cyber-attack to reduce the financial cost to their business?
- Reduce the risk of your business falling victim in the first place. Robust IT and system security may seem obvious, but regularly reviewing this is essential as both security and threats to it move on rapidly.
- Train staff to lessen the business’ exposure (for example, not clicking on dubious links) as well as to identify potential threats.
- Firm up your processes to ensure that any patches or updates are applied quickly.
- Create a clear plan to manage a cyber-attack. This can significantly reduce the amount of time a business takes to recover.
For more information on how to manage cyber-risk take a look at our Cyber guidance brochure (PDF).
“Like a lot of risks, when you’re actually going through an attack your options are usually quite limited,” says Llewelyn. “It requires a lot of planning and forethought. Depending on the size of company you’re managing, having a risk strategy or policy that looks at the likelihood and the impact of the risks and then developing a plan to manage that, is vital – whether that plan is avoiding the risk, transferring the risk or reducing the risk. Modelling the cash flow impacts of the risks that you’ve identified can be instructive.”
The risks a business faces will depend, in many cases, on the nature of the business and industry. Understanding how technology is used within your business and the operations it touches, can help you appreciate the scope and scale of the financial risk connected with a cyber-attack.
Cash is key to recovery
Cyber insurance is a growing area as more and more businesses are becoming aware of the potential damage that a cyber-attack can cause. “Whilst insurance will go so far to mitigate some of the risk businesses face, the challenge sometimes is that cyber-attacks can be very complicated, and it may not be clear exactly what’s happened and whether it’s covered under the policy,” explains Giles.
“There could also be a period of time where you’re going to need to cover an increased call on cash, before your insurance pays out or, in cases where it doesn’t, until you’ve generated enough revenue to cover your costs. Forecasting your cash requirement, depending on different scenarios, is going to be critical to your risk management. And that could even be periods of up to one or two years, depending on how sophisticated your business is.”
“It also means having the right sized cash buffer to see through any temporary shocks. Most larger companies will have a complex liquidity risk strategy to calculate this cash buffer and will need to add a range of cyber-attacks to this; smaller companies will need some cash flow scenario planning just to get a sense for the financial risk. For certain companies, depending on the type of assets they hold, a short term cash flow shock can be far more dangerous than the longer-term reputational or operational risk,” adds Llewellyn.
Putting cyber-risk on your cash flow agenda
Balancing understanding the potential impact of a cyber-attack with planning your response, risk mitigation with insurance, can help your business recover more quickly when the worst happens. Getting to grips with the fact that cyber risk is a risk facing the entire business rather than just IT is an important first step.
“Short-term liquidity is the life support of any business,” says Llewelyn. “That’s why we spend so much time helping our clients understand their working capital, so that they can manage their cash flow more effectively. Everyone, whether they’re the owner of a small business or the treasurer of a multinational company has the challenges of forecasting cash flow and managing their short-term liquidity risk. What’s really important is that they include cyber-risks and cybersecurity on that agenda.”
“Forecasting your cash requirement, depending on different scenarios, is going to be critical to your risk management.” Giles Taylor, Head of Data and Cyber Security at Lloyds Banking Group.