North American Forensic Accounting PC
North American Forensic Accounting PC
Calculating Economic Damages from a Cyber Event

Calculating Economic Damages from a Cyber Event

Forensic accountants can assist with this crucial step in your company’s recovery

Any time you hear the word “event,” you can be sure someone’s coming for your wallet. The word might appear on an invitation to the annual black tie for the Humane Society, in which case you’re probably happy to write a check. In the worst-case scenario, a business associate, vendor, supplier, or your own IT team might inform you of a “cyber event.” Then there’s no need to get the tuxedo pressed. There will be no cocktails, soft jazz, or chicken dinner. But the costs to your business might be so catastrophic that your team can’t even begin to quantify them. However, an accurate calculation is imperative, if your business is going to fully recover from cascading losses resulting from the “event.”

What qualifies as a “cyber event”?

Any disruption of IT services or breach of data security is a qualifying cyber event. Many disruptions are deliberate; hackers launch malware attacks, inducing network users to open or download files containing malicious programs. Common malware attacks include:

  • Denial of service — DoS is a malicious attempt to disrupt the normal functioning of a server, service, or network via an overwhelming flood of phony requests that slows or collapses service, making a site inaccessible to legitimate users. This prevents you from transacting business and causes reputational harm by frustrating customers who might not return.
  • Ransomware — By tricking a user to download a file containing a specific type of malware, an attacker can encrypt your network, preventing you from accessing your system until you pay a ransom to gain release.
  • Spyware — Hidden malware collects data surreptitiously and sends it to the attacker, who can continuously monitor user activities.
  • Adware — Causes popup ads, some of which are malicious, to appear whenever users work at their computers or browse the web.

By the time a breach is discovered and remedied, the affected business is dealing with potentially crippling losses.

Not every cyber event is deliberately malicious. Some are the natural consequences of equipment failure, power surges, power outages, fires, floods, or other force majeure incidents.

In all such cases, the affected business should have insurance and/or a right to be indemnified by a third party, such as a managed services provider, who has contracted to provide and/or protect the network.

Filing a successful claim for cyber event losses

If you are fortunate enough to be able to file a claim with an insurer or responsible party, you must present a reliable calculation of your losses. Lawyers place economic damages into three categories:

  • Compensatory damages — These are the immediate, direct monetary losses caused by the cyber event, such as the volume of business you lost while your network was down.
  • Consequential damages — These are related, but slightly attenuated losses, that your company realizes over time. These are insurable losses. But, if you are looking for a third party to indemnify you under a contract, these losses must have been foreseeable at the time you signed the contract.
  • Liability losses — The failure of your network to prevent the breach can expose your company to regulatory enforcement measures, including fines and damages paid to injured consumers.

Any claim you file must contain accurate, verifiable calculations of losses in all categories.

A bit of perspective: Notable cyber event losses

To illustrate just how devastating a cyber event can be, here are the Top Five recorded losses for businesses worldwide:

  • NotPetya malware attack (2017) — Beginning in Ukraine and then spreading globally, this malware attack shook major corporations such as Maersk, Merck, and FedEx, causing an estimated $10 billion in losses.
  • WannaCry ransomware attack (2017) — This attack terrorized Microsoft Windows users in more than 150 countries, racking up more than $4 billion in losses.
  • Yahoo Data Breach (2013-2014) — The largest data breach in history exposed the accounts of more than 3 billion users who weren’t notified for years about the violation. Final consequences topped $3 billion.
  • Equifax Data Breach (2017) — Another huge data breach exposed sensitive data belonging to 147 million people, including Social Security numbers and credit card details. Equifax settled liability with the U.S. government for $700 million, on the way to losing $1.4 billion altogether.
  • Target Data Breach (2013) — Hackers came away with sensitive data belonging to 70 million customers. By the time lawsuits and the dust settled, Target had suffered serious damage to its reputation as well as between $300-500 million in losses.

How does one begin to calculate such huge losses? As the old joke goes, “The same way you eat an elephant. One bite at a time.” Unfortunately, few organizations have personnel trained to deal with such large numbers patiently and precisely, which is why they so commonly misplace six, seven, or even eight-figure expenses.

Categorizing your potential losses from a cyber event

For the purposes of our discussion, we’re going to group losses on a timeline, such as your business would feel them, offering a brief explanation.

Direct Costs — These are immediate and highly measurable expenses, which include:

  • Costs of incident investigation and response
    • Digital forensics ($50,000 – $200,000 or more)
    • External consultants or cybersecurity firms
    • Legal fees
  • Data breach notification and credit monitoring
    • Notifying affected customers ($1 – $5 per record)
    • Offering credit monitoring services ($8 – $30 per person)
    • Regulatory Fines & Compliance Costs
      • HIPAA, GDPR, CCPA or other regulator fines
  • Ransomware payments (if applicable)
  • IT restoration efforts
    • Restoring compromised systems and bringing services back online

Notice that these are all added costs the event generated, not losses your company suffered.

Indirect Costs —Financial losses due to operational and reputational harm.Costs arising from business disruption can be more difficult to measure. They include:

  • Business downtime and productivity loss
    • Lost revenue due to downtime
    • Employee downtime while systems are being restored
  • Reputational damage (can be long lasting)
    • Loss of existing and potential customers
    • Stock price impact (for public companies)
  • Legal liabilities and lawsuits
    • Class-action lawsuits from customers
    • Settlements and legal defense fees (can be in the millions)

To recover for these losses (from an insurance company or liable third party) you must be able to defend your calculations. Your numbers cannot be speculative, but must be based on hard numbers and established accounting principles.

Long-term costs — Cyber events can have lasting financial consequences with impacts felt for years. These losses/expenses generally include:

  • Increased cybersecurity investments
    • Enhancements to security infrastructure (can be in hundreds of thousands of dollars)
    • Hiring additional cybersecurity personnel or consultants/contractors
  • Higher cyber insurance premiums
    • Increased costs for coverage
  • Loss of Intellectual Property (IP)
    • Theft of proprietary technology, patents, or trade secrets

The farther you get away from the triggering event, the more difficult it is to prove causation. Again, your claim for damages cannot be speculative.

Presenting a clear, compelling, justifiable claim streamlines the process, reduces your overall costs, and allows you to recover more quickly. For all of these reasons, you should consult forensic accounting experts with a proven record of success assisting companies in your predicament.

Now is the time to strengthen controls to minimize potential losses from a cyber event

In today’s environment the likelihood of experiencing a cyber-attack is stronger than ever. But you can mitigate the risk with proactive steps that include:

  • Having a solid Incident Response Plan (IRP) in place
  • Purchasing cyber insurance coverage
  • Assembling a strong response team comprised of legal specialists, digital forensic service providers, breach notification partners, and cyber event consultants

Quick action can reduce your financial exposure and ensure regulatory compliance. In the unfortunate event you experience a cyber-attack a forensic accounting firm can help quantify the economic impact and get you on the road to recovery.

By North American Forensic Accounting | Published February 1, 2025 | Posted in Calculations |  

Archives
Categories