Brunswick Review The Crisis Issue

Rude Awakening

Don’t let the discovery of a cyber breach be the first time you’ve thought about how you will handle it.

Overnight, your information security team discovered unauthorized access to sensitive files. Early this morning, your technology team confirmed some file IDs have been changed and cannot be accessed. Both teams propose taking the network offline until they can find the root cause. This means your people can’t work and your customers can’t use your services, potentially for days.

You don’t know how much information has been accessed, what has been done with it, who has it or for how long. You do know that you cannot serve your customers and, if their accounts have been compromised, their businesses could also be at risk.

This is now your job for the foreseeable future. Good morning.

Blame Game

Your company is now in the spotlight. Rightly or wrongly, in the case of a cyber incident, the brunt of the blame falls on the victim of the attack – not the perpetrator. In a Brunswick Insight survey, financial media readers in the UK indicated that they’re well aware of the usual suspects who carry out these attacks. Nearly nine in 10 respondents recognize serious threats from nation-state actors, global terror groups and individual criminals. Even so, nearly half (47 percent) say they’d blame the business that fell victim to the attack, compared to just 32 percent who would blame the perpetrator (Chart 1 on next page).

Companies not meeting expectations of preparedness are the biggest target for blame. In our survey, 83 percent say they’re concerned services they rely on will be disrupted (Chart 2); just 53 percent say they’re confident those businesses can prevent an attack. Only 10 percent say they’re very confident.

Cyber attack headlines are now part of our daily newsfeed. Perhaps we are more accepting of the idea that our personal data has been breached, and we know we bear some of the responsibility to watch out for fraud. But we still expect companies to take all the right steps, mainly because:

You should have seen this coming. “When, not if” has long been a stark warning from cyber experts and regulators.

You should have been better prepared. Despite growing awareness that business can be brought to a standstill, adequate steps are rarely taken in advance.

It Matters

These events have consequences for leadership, employees, customers, partners and investors. Each expects that the appropriate steps are being taken by the others to protect the company and sensitive information. But do they all understand the potential financial and reputational consequences?

Regulatory repercussions. The General Data Protection Regulation took effect in May of 2018. We don’t know yet what fines for the worst offenders will be, but they could amount to 4 percent of global turnover. The regulator could also force companies to suspend business if they aren’t satisfied the proper steps to protect data have been taken.

Loss of business. The June 2017 NotPetya attack aimed at the Ukraine caused material sales impacts for a number of global companies. They were simply collateral damage, the result of perhaps even just one user clicking on malicious links. Maersk has used the experience to warn others. They reported $265 million lost sales in a quarter following a 10-day period where the company was reduced to pen and paper while it reinstalled all of its IT systems.

Share price impact. Breached companies see immediate share price impact and underperform the market in the long term. An analysis by Comparitech of 28 breaches showed that these companies underperformed the Nasdaq by 4.6 percent over the first 14 days and by 11.35 percent over two years.

Lost productivity. Responding to cyber attacks weighs on your company’s performance. Production loss accounts for one-third of a company’s annualized costs due to cyber crime, the 2017 Accenture and Ponemon study found.

Executives are collateral damage. Companies that have suffered major breaches, like Yahoo!, Equifax, Target and Uber, often see the resignations of either their CEO, CISO and/or General Counsel.

Class action lawsuits. These are not limited to the US. We saw a firm threaten a group action suit against British Airways within days of the September 2018 data breach.

Survey: Brunswick Insight research conducted between September 21 to 24, 2018 in the UK among 316 readers of top-tier financial publications.

 

Preparation Pays

This is the seatbelt moment for companies. The expectation is on them to protect their business and any that they work with by thinking now about how to increase cyber reputational resilience. Consider the critical decisions you will be faced with to inform your everyday approach to arming your people, systems and your leadership team:

1. Align your response team. Swift coordination in a pressured situation requires a defined decision maker. The CEO needs to know when that decision-making power should sit with her and how the critical details to inform decisions will be shared. When facing a business unit incident that affects a global customer base and requires international regulatory alerts, that responsibility can get muddled.

The smoother the public response, the shorter the public follow-up cycle and scrutiny. That only comes with practice.

2. Consider the tough decisions. You want to be able to offer your customers something in response to a potentially protracted disruption. The first debate about exactly what that offer will be should not happen under the pressure of a tight deadline. As with any critical decision that could affect your long-term reputation with customers and employees, understand the likelihood of risks and weigh how you could respond.

When would you advise customers of a potential risk? When should you inform the market, given that it may be some time before you have a complete picture? How often should you communicate during the disruption? How will disclosure affect different parts of the business? You have to be prepared to communicate clearly but cautiously and your first communication has to be accurate.

How would issues in different regions drive decisions? Global companies must reconcile the different cultural and geopolitical pressures around the level of information expected in each market when hit with a cyber incident. Which of your markets will guide your response strategy? 

“WARNING! All your important documents are now encrypted and cannot be unlocked without a unique private decryption key. You have 48 hours to pay $5,000 or your files will be permanently locked.”

Messages like this throw millions of people into panic each year. For those who find sensitive business or financial information locked and inaccessible, this is an immediate crisis.

We’d all like to think that cyber attacks and ransomware find victims only among the most unsuspecting and unprepared. And, we all know that paying a ransom is never recommended as it frequently doesn’t even give you renewed access to your data.

Or do we? In a survey of 316 UK readers of top-tier financial publications conducted by Brunswick Insight, 42 percent said that paying a ransom may sometimes be necessary when the information is absolutely critical to access, or if it would cause deep problems when revealed.

How would you respond to extortion? Does your executive team agree how you would respond to threats of extortion? Would you take a public stance around refusing to pay ransom, and is that more effective in your key markets?

3. Get to grips with the potential consequences. With the right questions, you can understand where you are most at risk of a cyber incident. That should inform both how much you put toward mitigation of key risks and how you prepare to respond. If a phishing attack could grant access to sensitive IP critical to your business, extra defenses and training are required.

Are those most sensitive systems the first ones your information security team would check at the notice of potential unauthorized access? Do you appreciate the level of complexity involved in understanding what could have been accessed? Where will you need to be prepared to offer compensation and how much?

4. Increase your IT security literacy. There is a call to action for boards to increase their understanding of the cyber risks their companies face, and to do that they need to understand their current defenses. This extends to the preparedness of the members of your supply chain. 

In the case of a cyber incident, the brunt of the blame falls on the victim of the attack – not the perpetrator.

Earn a Return from Managing Cyber Risk

Cyber resilience is not just a matter of risk management. Robust preparation across your business should be value enhancing.

An informed executive team will demand higher standards from everyone in the business. If it is a theme heard from the top, information security will be echoed across the business making it a message your customers and partners hear too. Employees want to be part of a solution and understand the role they play.

Good management appeals to investors. Our survey shows a very positive response to senior executives detailing how they’ve dealt with ongoing cyber threats and strengthened defenses and preparation.

Cyber attacks can disrupt business and carry long-term consequences. Hackers work full time to get into your system. Advance planning and
company-wide cyber awareness can make their job considerably harder. 

 

Jeremy Ruch and Wendel Verbeek are Brunswick Directors, based in London.

Illustration: Edmon de Haro

Charts: Peter Hoey

Download (589 KB)