financial-impact-cyberattack

18 April 2023

Cyber attacks are on the rise in an increasingly digital environment. It is now natural to consider cybersecurity as a major issue in the IT strategy of companies. It is an issue in its own right that must be integrated into cloud migration projects.

The contours of a cyber attack

A cyber attack or hacking can take different forms. While data theft is the most well-known form of hacking, other types of cyberattacks exist.

Ransomware or denial of service, to name only the most frequent, refer respectively to the installation of malicious software to encrypt data or the saturation of systems to make them unusable. The objective of the attack is clear: to set up financial blackmail to obtain a sum of money.

The first key to good management of a cyber attack seems to be the speed of detection. On this point, companies are more and more armed and take it into account more and more in their IT strategy. In fact, according to FireEye's MTrends 2021 report, companies were detecting incidents in 24 days in 2020, twice as fast as in 2019.

Once a cyberattack is detected, the company will implement a strategy that will generally start with technical responses (disconnecting infected devices, applying security patches, etc.) and then transmitting information related to the incident.

The company must alert its teams, customers, and partners in order to ensure internal mobilization and anticipate problems of business interruption.

All the implemented measures will have irreparable consequences which will be characterized, in fine, by financial impacts for the company. At Padok, we offer to assist you in your forensic analysis of the attack to trace the attacker's path.

What are the financial impacts of a hacking attack?

The response to a cyber attack will generate for the affected company a set of immediate financial impacts, but also indirect and longer-term repercussions.

Impact on cash flow

Immediately, a cash impact is inevitable. The first cost center is related to the repair of the cyber attack and the implementation of temporary infrastructures to maintain the activity.

Here, two scenarios emerge:

  • Companies that opt for the fastest, but often riskiest strategy: paying ransom to hackers. There is no guarantee that the hackers will keep their end of the bargain, and even if they do, they still have their hands on the IT system.
  • The company can similarly fight the cyberattack by taking corrective and legal action. The cash flow is then directly impacted by the use of external service providers on both technical (improvement of cybersecurity devices, post-incident data security) and legal (lawyers' fees and court costs) sides.

Impact on revenues

Financial impacts directly on revenues can also be observed due to the demobilization of internal teams or the cessation of production and direct sales.

In 2017, NotPetya, a ransomware-type cyberattack, paralyzed several companies such as Saint-Gobain, Auchan or SNCF, with a loss estimated at $10 billion.

Another prominent example is Bénéteau, a French company and world leader in boat construction. In 2021, a very violent cyber attack forced them to close all their factories overnight, paralyzing production. The impact in terms of lost revenues is estimated at €45 million by Jérôme De Metz, the group's CEO.

Impact on valuation

From another point of view, a cyber attack depreciates the reputation of a company and the value of the brand. This can have an impact on valuation. The French Bessé study looks at the consequences for listed and unlisted companies.

For the former, we observe an average decline of 9% in the stock market price. But the repercussions are even more significant for the latter. In France, the risk of failure for small and medium-sized companies increases by 80% following a cyber attack.

What are the first steps to act?

If the risks and financial stakes of a cyber attack are tangible, the responses still seem inadequate. According to an IBM Ponemon Institute study, 80% of French companies do not have robust IT strategies.

Here are two initial avenues for action to overcome this lack of preparation for cyber security attacks:

  1. Raising employee awareness of cyber-attacks: the French National Agency for Information Systems Security (ANSSI) offers various guides to help French companies on this subject, such as "Cybersecurity for VSEs/SMEs in 12 questions".
  2. The definition of the current level of protection of the company: it is necessary to invest time to evaluate the level of security of the IS and to be able to know its strengths and weaknesses, to set up a good IT strategy.

Once the awareness and the inventory have been done, a roadmap will have to be defined within the IT strategy of the company by the DevSecOps teams in order to limit the risks of cyberattacks.

Conclusion

While the risks and financial stakes of a cyber attack are tangible, the responses still seem inadequate. According to an IBM Ponemon Institute study, 80% of French companies do not have robust enough IT strategies.

Suffering a cyber attack is generally a trigger for taking these risks into account in the cyber strategy. This strategy of reacting after the fact has a much more negative financial impact than anticipating and mitigating these risks upstream.