R&C: In your opinion, what reputational risks do potential or actual data breaches and cyber attacks present to companies? Is it possible to measure or quantify such risk?

Garrett: We believe all companies, especially publicly traded companies, face significant reputational risks as a result of both potential or actual data breaches and cyber attacks. Publicly traded companies are increasingly being negatively impacted by class-action lawsuits by investors following major cyber breaches, due to their belief that the company was negligent in providing appropriate internal information security controls, effective monitoring, detection, cyber incident response and disaster recovery planning prior to and during the attack.

Ayers: How you measure the reputational risk of a breach is an inexact science, as the characteristics and fallout of each incident can be very different. However, an interesting measure to quantify the risk of a breach is the annual report on the ‘Cost of a Data Breach’ from the Ponemon Institute. The 2017 study shows that the average cost of an incident in the UK was £2.48m, or £98 per record. This is broken down into direct costs, such as the cost of detecting and remediating the incident, as well as indirect costs, including a higher cost of customer acquisition and greater customer churn. It is also worth noting that these costs do not factor in any regulatory penalty, something that could be substantial under the General Data Protection Regulation (GDPR).

Apr-Jun 2018 Issue