Reputation in an era of state-sponsored attacks

The Russia/Ukraine conflict has elevated the risk of cyber breaches globally. War is being fought with both boots on the ground and attacks in cyber space.

A vehicle for disruption, cyber attacks have taken the form of state sponsored attacks on the part of the Russians, or the so-called ‘hacktivist’ groups who are pooling resources and targeting entities in Russia and Belarus, to traditional cyber threat groups seeking a piece of the action.

The attacks have increased in frequency and intensity, spilling over into other areas and affecting all businesses, from SMEs to mid-range and large corporates around the world. Despite even the most rigorous cyber protection measures, no business is immune.

Whilst the National Cyber Security Centre (NCSC) and other agencies are issuing warnings about the increasing attacks and advising on mitigation measures that can be implemented, managing the reputational fallout from being the subject of a cyber attack is an aspect that is often overlooked.

Businesses can spend years and vast sums building their brand and reputation only to have it wiped out by one incident.

The impact on customers

A cyber attack typically involves a business’ IT systems being infiltrated, a malware payload being injected, and all data and systems being encrypted with no access to the users. This will have an immediate impact on the business’ ability to operate, ultimately affecting anyone who uses it.

With systems rebuild taking anything from one week to several months, disruption is guaranteed.

But what will be the reaction of the customers? Initially, they may be sympathetic, but that can soon change. What if there has been a data breach and the malicious actor has exfiltrated their data? How will the customers, or data subjects, react?

Cyber attacks, and in particular data breaches, present a huge reputational risk. The key drivers to reputational damage from a breach are the size of the breach, where it emanates from; and, how quickly and effectively the company reacts

Policy wording

As well as the incident response and systems rebuild, companies need to be alive to the reputational damage and public relations response to a cyber attack.

Many cyber insurance policies currently on the market cover Cyber Reputation Business Interruption costs, with typical wording being: “Cyber Reputation Business Income - We shall pay the Reputation Business Income Loss that You sustain following a Breach Event or Security Compromise that commences during the Policy Period.”

It is also fairly typical to see policies covering: “Any reduction in revenue and any increase in the cost of working resulting from interruption to or interference with the business including any loss of current or future customers caused by damage to your reputation arising from: 1, Data security breach; 2. Virus or similar mechanism, hacking or denial of service attack; 3. Cyber extortion.”

In effect, this means any reputational loss of business arising from a cyber incident may be covered under such a policy of insurance. But, while cover may be in place, it can be difficult to establish how far it extends. How is reputational damage and the losses flowing from this measured?

Measuring reputational losses

Reputational losses can include loss of customers, loss of sales, and reductions in profit. Associated with this are additional costs (commonly known as Increased Costs of Working) which prevent or minimise reputational losses.

In simple terms, business interruption losses are generally measured on the difference between the expected revenue, and the actual revenue during the period of interruption or indemnity period under the policy, less any savings.

In terms of cyber business interruption, and specifically cyber reputation business interruption, this can present challenges to both the loss adjuster/forensic accountant dealing with the claim and the policyholder.

What might appear to be clearcut to the policy holder can be incredibly complex, and so managing the expectations of the policyholder is key to a successful outcome in relation to any claim.

Businesses will look at reductions in sales, customer retention, the likelihood of being unable to fulfil contracts and the likelihood of losing contracts or opportunities as losses claimable under a policy of insurance.

In assessing such losses, loss adjuster/forensic accountants will seek historic information for a period of at least three years in order to track sales and any trends the business may have either upward or downward.

The bigger picture

Internal and external factors will also be considered and, as we move out of the Covid-19 pandemic, it will be necessary to consider whether Covid or other geopolitical factors have affected the business and contributed to any reductions in sales.

Another key factor in measuring these complex losses is deferment: has the customer or sale been lost or is it just deferred? Will the customer return once the business is fully operational with a potential spike in sales in the months following the incident?

Investigations into reputational damage and losses will include many metrics and analytics on the business and sector they operate in.

Tracking industry trends, and even the likes of social media, can provide valuable evidence as to whether the losses are flowing directly from the cyber incident or could be due to other non-related external factors.

Ultimately, the business will have to prove that the losses they claim are solely due to the cyber event and that the reputational damage is directly linked to the attack.

As with any insurance policy, there are various exclusions - examples include: regulatory costs or fines; systems or processes upgrades; contractual penalties; legal costs or expenses arising from liability to third parties; losses prior to the waiting period under a policy; and losses after the indemnity period has expired.

Prevention is better than cure

As well as deploying measures to prevent an attack in the first place, it’s necessary to have a business continuity plan in the unfortunate event that one does occur. This should include a public relations strategy outlining how the business will manage and minimise the reputational damage.

Who in the business will issue statements and manage the customer and press enquires post incident? Who will review and monitor social media activity? Does the business have this expertise internally or is this best left to the experts?

Nigel Collins is Technical Lead - Cyber & Technology at global loss adjuster McLarens.