11.08.2019

Cyber Attacks: Reputational Consequences

By Emily Short

Cyber Attacks: Reputational Consequences

“It takes 20 years to build a reputation and five minutes to ruin it.”

   – Warren Buffet

Cyber attacks are costly. Just ask Sony, Target, Home Depot, or Equifax. Or you could try asking AMCA, the medical billing collections company used by Quest and LabCorp. But, you might not reach anyone, as they filed for bankruptcy citing a “cascade of events” related to the large data breach disclosed this summer. Legal fees, notification costs, regulatory inquiries, forensics, fines & penalties, and lost revenue are just a few of the expenses that follow a cyber attack.

The cyber threats facing businesses are ever-changing, but recently, ransomware attacks, spear phishing, malware, and insider negligence have dominated the news. And no industry is immune: municipalities, educational institutions, hospitality, and healthcare companies have been hit hard over the last year. Unfortunately, it’s not a matter of “if” a company will experience a cyberattack, it’s “when”.

As we’ve seen in recent years, a successful cyber attack can have significant financial and reputational consequences. According to a recent study by Radware, 43% of those companies participating experienced “negative customer experiences and reputation loss as a result of a successful cyberattack.” This is compounded by the increased use of social media, and the internet in general. These additional forms of communication …

While larger companies may be able to absorb the loss of customers, many smaller to mid-sized businesses cannot recover from the reputational consequences and loss of customers.

How did you respond?

The criticism companies face based upon their response to a cyber attack is an ongoing discussion. Reputational consequences and loss of customer trust following a cyber attack are some of the biggest concerns facing companies.

In 2017, Equifax disclosed a breach that exposed the personal information of more than 140 million people. Although it’s not the largest breach we’ve seen in recent years, it’s definitely one of the most talked about. Why? Because they mishandled the response, and it became a public relations catastrophe. Within the first week after the breach, Equifax lost four billion dollars in stock market value, and as of May 2019, the cyber incident has cost Equifax approximately $1.4 billion-plus legal fees. In July 2019, Equifax agreed to pay $700 million to settle federal and state investigations into how it handled the breach. Discussions around how poorly Equifax handled breach response are not going away anytime soon.

Much of the reputational damage could have been minimized if the breach response process had been handled appropriately. Delayed disclosure and bad judgment on the part of senior executives exacerbated the negative response. Equifax learned of the incident at the end of July 2017, but they didn’t disclose it until September 7, 2017, nearly six weeks later. During that period, three senior executives sold almost $2M in company stock (one of which was recently sentenced to four months in prison). Additionally, Equifax directed potential victims to a new, separate domain, on which some observers found bugs. Their Twitter account also mistakenly tweeted a phishing link out four times instead of the actual breach response page. Equifax’s response made it clear they had no comprehensive set of policies and procedures in place.

In July 2019, Capital One disclosed a breach that involved the personal information of over 100 million customers in the U.S. and another 6 million in Canada. Following the disclosure, the company’s share price dropped approximately 6%. But, in contrast to Equifax’s response, Capital One was quick to act after the incident, publishing information on the punishment of the hacker and publicly apologizing. They were also transparent about the impact of the incident on consumers.

Capital One will not walk away unscathed. They will still expend millions of dollars on response costs, litigation, and regulatory inquiries. Lawsuits have been filed in federal court, at least two attorneys general are investigating the incident, and a shareholder suit was filed in early October.

Bad publicity following a cyber incident is compounded when a company appears out of control and cannot explain how or why. When a breach is disclosed months or even years later, it gives the impression that the organization doesn’t have a grasp on their affairs.

Sometimes, consumers just want to know what you plan on doing to stop future incidents. In 2013, Target announced a breach that affected more than 60 million Target customers. At the time, it was one of the largest breaches, and many criticized that it took them 20 days after discovery to disclose the breach to the public. However, months after the breach, Target posted a list of security enhancements on their website. This transparency and consumer loyalty likely played a role in their reputation bounce-back.

Conclusion

Businesses must adopt both proactive and reactive security solutions in today’s cyber risk climate. Beyond the financial and legal impacts resulting from a cyber incident, a lack of effective communication and transparency can have severe reputational consequences for brands, from extended, negative news cycles and social media takeovers to congressional hearings and leadership turnover.

Many companies aren’t prepared for the inevitable cyberattack, which can have serious, even company ending, reputational consequences – are you?

Emily consults on risk management and insurance solutions across a variety of industries, with a particular focus on technology, venture capital, and private equity risks. Emily previously worked as a cyber and technology insurance broker at one of the largest international brokers.  Prior to that, Emily was practicing law, focusing on professional liability insurance defense.  In addition to her Juris Doctor, Emily completed the Certified Information Privacy Professional (CIPP/US) designation and the Registered Professional Liability Underwriter (RPLU) designation.  She is licensed to practice law in Kansas and Missouri and has her Kansas insurance license. Connect with Emily on Linked here