Cybersecurity breach losses are becoming a significant component of companies' accounting records with implications from intangible costs such as reputational damage, security watchers observe, who say IT risk assessment in cyber insurance can differ due to company size and industry type.
Most security breaches will result in additional costs for impacted organizations, Jimmy Sng, partner of IT Risk Consulting at PwC said. These costs range from breach containment, crisis management, investigations and forensics, customer compensation, damaged system replacements, lawsuits and other penalties, he explained.
Looking back at security breaches over the past few years, Sng said these additional costs and losses have become "material" and significant to the company, and the impact of such incidents are on the rise.
He added it is difficult to estimate the cost of each cybersecurity breach which can range greatly, noting that larger cybersecurity incidents in the past had resulted in millions of breached data records. He pointed to Sony PlayStation Network breach last year which cost Sony up to US$171 million in damages.
According to Lyon Poh, management consulting partner at KPMG Singapore, cybersecurity costs can be broken into two categories: recovery costs and financial damages resulting from contractual breaches or compliance violations; and reputational losses affecting future business opportunities.
In the event of a cybersecurity breach, Poh noted that unexpected costs will also be incurred when the affected companies investigate and recover from the incident, as well as implement additional safeguards to prevent similar occurrences. However, such costs are quantifiable, he said, unlike loss of reputation which is unquantifiable and may lead to further losses.
"Loss of reputation is not easily quantifiable and is likely to erode future business opportunities and, in extreme cases, lead to failure," he warned.
Higher risks for some companies, industries
In assessing the risk of a cyber breach for insurance purposes, Ian Pollard, vice president of Chartis Asia-Pacific, said risks differed between organizations as larger corporations and certain industry segments would need to deal with different cyberthreats compared to small and midsize businesses (SMBs).
For instance, a bank is more susceptible to cybercrimes due to the high volume of sensitive information exchanged during daily transactions, he explained.
Pollard said: "The risk portfolios of companies are defined through underwriting, security risk assessments, the mapping out of cyberattack possibilities which could result in earning losses, intellectual property infringement, defamation, privacy invasion and cyber extortion."
He noted an increased uptake in cyber insurance over the last three years because more companies now conduct their transactions over the Internet, and cloud computing has evolved to become more mainstream in the enterprise IT environment.
New tech calls for robust cybersecurity strategy
Poh agreed, adding that organizations now need to integrate the Internet into their business strategy and, hence, are more susceptible to breaches, he said. This has become the new "business norm" and enterprises must learn to respond to emerging risks that come with increasing cyberspace activities, he noted.
Companies must assess the pervasiveness of cybersecurity risks in their business model, and develop an information security governance strategy to manage such risks as well as reduce the impact on their businesses in the event of a breach, Poh advised.
They should implement security measures such as surveillance and redundancy planning in their cyberspace business strategy to allow for the early detection of breaches and minimize service disruptions, he said.
A computer emergency readiness team (CERT) should also be established to respond and recover from breaches in a timely manner, and security and vulnerability assessments should be carried out periodically to evaluate the effectiveness and relevance of existing security measures, he added.
"[As such], companies should see information security as a strategy to protect business values and not simply [regard it] as a business cost," Poh surmised.