Should businesses be worried about huge cyber fines?
There have been a number of large fines handed out in recent weeks to businesses that suffered a cyber breach. British Airways and Marriott International are due to be fined £183m and £99m respectively by the UK’s Information Commissioner’s Office while Equifax has agreed to pay between $575m and $700m to US authorities. These are large numbers and they have received a lot of press coverage, but are they the only numbers that organisations should be worried about?
Organisations face a fundamental challenge when trying to decide how much to invest in cyber security. This challenge exists because of the difficulty in assessing the return on cyber security investments. This is in contrast to other investments, such as setting up a new website or expanding a delivery fleet, where the likely positive return can be relatively easily estimated. If it’s not going to deliver the money in X years, don’t invest in it.
The consequences of getting this decision wrong can be significant. If an organisation spends too little they will not have the required protection and will suffer losses as a result of an incident. Conversely, if they spend too much they will use up their cash, reduce their profits and become uncompetitive.
The recent series of high profile fines and payments begins to help provide some greater understanding of the likely cost of a cyber incident. This should help organisations assess how much they wish to invest to mitigate this risk. However there is another source of losses and that’s the loss of revenue due to business interruptions as a result of a cyber incident.
Depending on the size and nature of the organisation, these losses could be a greater consideration than any potential fine. They could equally be less of a consideration. Either way they should both be considered and then used as a basis to assess how much to invest in cyber security and where.
There’s a simple calculator, the “Cyber Fine-O-Meter”, to help with assessing the costs of a cyber breach. We’ll use it to go through an example. It should be noted that as with all calculators of this type, this is not a precise science but it will give a feeling for what the costs could be. It will also provide some numbers to allow a discussion to form around even if those numbers are later discarded. The potential value of such a tool is in the discussion and not the 2 decimal place ‘precision’.
Lets consider Bob’s Widgets Ltd. Bob has a factory that takes raw materials and produces finished products that he can sell on at a profit. The company has modern sales, fulfillment and production systems and so is heavily reliant on IT. The company has annual revenues of £200m. Bob’s Widgets requires a huge amount of highly personal customer data to fulfil their orders due to the nature of their products.
Bob assesses that if they had a serious cyber incident, it would affect 70% of their output. He also thinks that it would take the business 20 days to get back to full capacity following the incident and that the direct costs of recovery (e.g. security consultants etc) would be around £500k. In the long run he reckons they are unlikely to experience such an incident more often than every 5 years. He is aware of his responsibility to protect customer data under regulations such as GDPR but he assesses that given past fines it is unlikely that he’ll get more than 30% of the maximum potential fine.
Feeding these numbers into the Cyber Fine-o-Meter gives us the following insights.
From this we can see that Bob’s Widgets will lose £7.7m in revenue and will face a potential fine of around £6m. If we consider an incident frequency of once every 5 years this gives us annualised loss of revenue of £1.5m and annualised fines of £1.2m, or £2.7m in total.
Looking at these numbers Bob can begin to consider how much to invest in cyber security. Bob decides that investing anything in the region of £2.7m would not be efficient as he may as well take his chances and save the money for when something actually happens. He instead decides that investing something in the region of 10% of this value per year might be prudent.
By using this calculator it quickly becomes obvious that the two factors that an organisation can control, and that will deliver the biggest reduction in losses, are the time to recover and incident frequency. (There may also be a weaker link with regards to fines as the scale of the fines levied by authorities may become proportional to how awful they judge the organisation’s cyber security to be.)
This means that Bob now has two areas to focus on when deciding where to invest his cyber security budget; incident frequency and time to recover. All investments should be assessed against how much they help reduce one of these factors.
For an organisation with a low level of cyber security there will be many affordable quick wins that reduce the likelihood of an incident. However they will get to a point where the law of diminishing returns kicks in and similar sized investments begin to make much smaller impacts on incident likelihood. This is why investment needs to be focused in parallel on reducing the recovery time. Otherwise investments could be used in one area at the expense of much greater benefits in the other.
About Clear Cut Cyber
We are a new business trying to help organisations work out how much to spend on cyber security and where. To do this we work with clients to help them understand what threats their systems can currently detect and stop. We also conduct cyber exercises so that organisations can improve their incident response and get their time to recover as fast as possible. Find out more at www.clearcutcyber.com.