The Covid-19 pandemic has had a devastating effect on our health and wellbeing, and it has taken an enormous toll on the global economy with markets in a tailspin. In a matter of weeks, the Dow, Nikkei, FTSE, Sensex, and other benchmark indices plummeted, investor wealth eroded and the world economy settled into a recession.
Just as the Corona virus pushed the world economy into a recession, a cyber virus can push a company into bankruptcy or at least devalue it substantially. Yahoo’s US$350 million devaluation following two exceptionally severe data breaches comes to mind instantly.
In April this year, IT services major Cognizant was hit by the Maze ransomware attack that compromised their internal systems and caused service disruptions for their customers. Even though they were able to contain it speedily, Cognizant still anticipates a loss of US$50-US$70 million on account of the cyber-attack.
Just last month, Indiabulls’ systems were breached by a CLOP ransomware operator. The hackers publicly released one tranche of the data containing customer identities, financial transactions and employee information in a bid to collect ransom. CLOP ransomware demands can range between US$50,000 and US$1 million, depending on the target and negotiations.
At almost the same time, the J&K Power Development Department found itself the victim of a cyber-attack that wiped off business-critical data from its data centre servers. The attack rendered the website, app and data centre non-operational for three days.
Unfortunately, these incidents are no aberration. It’s the new norm. This is confirmed by a recent survey conducted by the International Information System Security Certification Consortium. Over 250 professionals actively engaged in M&A activity affirm that cyber audits have become an indispensable part of the M&A due diligence and valuation process.
- A resounding 100% reveal that cyber audits are a standard M&A practice.
- About half (49%) believe that the discovery of previously undisclosed breaches could derail an ongoing deal.
- Three quarters (77%) make M&A recommendations based on the strength of the cybersecurity program.
As the frequency and intensity of cyberattacks have escalated, there has been a corresponding surge of cyber audit requests from prominent VC and investment firms in India and globally. Earlier, these investors’ primary focus during due diligence were financial and legal events. Today, cybersecurity has become an integral part of their scrutiny.
Why has Cybersecurity Become So Critical?
The World Economic Forum has called out cybercrime as one of the top threats to a company’s business and reputation. There were more than 1.76 billion records leaked in January 2020 alone. A single attack can compromise crown jewels, derail operations, axe revenue, and shred business reputation.
Digital transformation and the drive to ‘connect everyone and everything that can be connected’ will expand the cyber-attack surface, increase vulnerabilities, and exponentially magnify the frequency and impact of cyber threats. Alongside this, new technologies like AI and AR/VR have started opening new frontiers in cyberwar.
These threats can result in unprecedented damage. Cybersecurity Ventures predicts cybercrime damages will cost the world US$6 trillion annually by 2021, up from US$3 trillion in 2015.
Putting this together, Boards, CEOs, and CFOs have understood that the financial impact of a cyber-attack on the bottom-line and valuation of business is unavoidable. It’s no wonder that cybersecurity has graduated from an IT/IS checklist to the C-suite’s priorities.
What is the Cost of Cybercrime to a Company?
While the immediate impact of a breach can be quantified easily, there are other deeper ways (e.g. reputational risks) in which a cyber-attack impacts the company’s fortunes. These have far-reaching consequences and can make or break a business in the long term. Let’s unpack some of the costs associated with a cyberattack:
Fire-fighting costs arise from the immediate impact of a breach and can be quantified easily. These include expenses on incident investigation and response, breach notifications and communications, public and stakeholder relations, lawyer’s fees and litigation, etc.
Reputational costs are a result of the other, sometimes overlooked, ways in which a cyber-attack impacts the company’s fortunes. These include spending on cybersecurity improvements, enhanced insurance premiums, protection of intellectual property, increased cost to raise equity and debt, devaluation of trade name, revenue and operational losses, and lost value of customer relationships.
Immediate steps you can take:
- Protect your revenue, assets, and valuation (aka dimes and dollars), with a robust cybersecurity strategy that aligns with your risk appetite and complies with industry and government regulations.
- Identify your ‘defensible’ assets and optimise your resources to protect your most critical infrastructure, detect attacks as they happen and respond effectively.
- Create a culture that prioritises cybersecurity. Design it into your products, policies, and processes. Include it in the C-suite conversations. Approach it as you would a strategic investment, not an expense.
Thus, Like Covid-19, cybercrime spares no one. Whether you’re the target of an attack or an unfortunate bystander, the collateral damage can be immense. It’s best to be prepared. World over, companies have already upped their investment in cybersecurity. IDC estimates that global spending on cybersecurity will jump up to US$133.7 billion in 2022.
Guest contributor Anuj Vaid is the Chief Sales & Marketing Officer at CMS IT Services, one of India’s leading system integrators and managed services provider. Any opinions expressed in this article are strictly that of the author.