The Five Drivers That Can Help Mitigate Growing Reputation Risks

Damage to Brand or Reputation is a top-10 risk facing organizations globally today, according to Aon’s latest Global Risk Management Survey (GRMS)2 — and has been one since 2007.

It should be no surprise that businesses are concerned about reputation risks. In this highly volatile, highly digitalized world, any single disruptive event can significantly and rapidly threaten a business’s reputation. Such events — which include cyber events — may then cause financial markets to reassess their projections around future cash flows, affecting shareholder value. Where a potential negative event, such as a cyber attack, is mishandled, the damage can also go beyond the reputational premium: consumer and employee trust may erode, with knock-on effects for sales and brand value.

As the world becomes increasingly interconnected and cyber attacks get more sophisticated, these risks will only continue to grow. Large cyber attacks on critical U.S. infrastructure and services in December 2024 are an example of the significant threat now posed by this class of risks. As part of these attacks, hackers broke into the U.S. Treasury Department’s systems, accessing unclassified documents and employee workstations.3 In addition, at least nine U.S. telecom companies were compromised through a coordinated cyber espionage operation, with hackers able to record the phone calls of — and even geolocate — millions of Americans.4

While reputation risk has historically been challenging to quantify, Aon’s research shows that a major attack can have a significant long-term impact on a company’s share price. Our 2023 analysis of 47 prominent cyber events showed, for example, that a major cyber incident resulted in an average 9 percent decrease in shareholder value in the year following the event.5

How then should businesses approach these reputation risks? Reputation risk is one of the most important of a growing number of risks that are either uninsurable or only partially insurable.6 Businesses looking to avoid incurring losses as a result of these risks will need to make sure they have a thorough understanding of the risks in question and take steps to manage them. This article concludes with our five drivers of value recovery, which are the levers that companies will need to help minimize their risk of a value-destroying reputation risk event.

When a Cyber Event Becomes a Reputation Risk Event

This year, the Aon team has extended its previous research to assess the impact on shareholder value of different types of cyber events. As with our 2023 research, the findings are derived using a clear, objective definition of reputation risk and proprietary algorithms that can help accurately identify the magnitude of reputational damage, including a shareholder value algorithm that can isolate changes in share price that are caused by company-specific factors from those that are due to market noise.

We analyzed 1,414 cyber events reported in the media up to the end of 2024, of which more than 95 percent were of a malicious nature. We split these events across five categories, based on the cyber-attack technique involved:

• Malware/Ransomware: Malware damages or disrupts access to a computer system. Ransomware is a type of malware that blocks user access until a ransom is paid.
• Unauthorized Access and Credentials Attacks: Attempts by an attacker to gain user credentials to access networks or systems.
• Human Factors: Cyber events stemming from unintended actions by employees such as falling for a phishing scam or failing to follow security protocols.
• System Exploits: Events in which attackers exploit system vulnerabilities by, for example, injecting malicious code using Structured Query Language.
• Network and System Attacks: Events that aim to compromise the integrity and availability of a system — such as denial of service attacks.

Of the 1,414 cyber events we examined our analysis shows that 56 developed into reputation risk events, causing shareholder value to fall by 27%.7 Our findings suggest that some cyber-attack techniques are more likely to become reputation risk events than others. Malware/Ransomware attacks make up a disproportionate number of the identified reputation risk events, accounting for approximately 60 percent of reputation risk cyber events but only 45 percent of all cyber events.

Key Observations:

• Ransomware/Malware is by far the most common type of cyber attack
• At a reputational risk level, it becomes even more prevalent

Why is it that some event categories are more likely to break through into reputation risk events than others? Malware/Ransomware attacks had a 20 percent chance of developing into a reputation risk event, compared with, for example, just an 8 percent chance for System Exploits attacks.8 For cyber events, as for other types of events, there is most likely to be large-scale media pickup where there are emotive issues at stake or issues that could be deemed to be in the public interest. Malware/Ransomware attacks fall squarely into these categories.

While Malware/Ransomware attacks may be most likely to become reputation risk events, they may not have the biggest impact. From a severity perspective, Network and System Attacks were typically the most damaging, causing a 51 percent fall in shareholder value. At the other end of the spectrum — though still representing a major risk — Unauthorized Access and Credentials Attacks showed an average effect on shareholder value of –25 percent.

As these results show, there is a fairly weak correlation between the types of attack that are most likely to evolve into a reputation risk event and the types that — once they become a reputation risk event — are likely to have the most severe impact on shareholder value. This is because it is media attention that determines whether an issue breaks through, while the level of shareholder value destruction will typically depend on the magnitude of the direct impact on the customer. Network and System attacks, for example, can often result in a rupture of service, which can severely inconvenience — or even harm — customers.

Recommended Actions
The Five Drivers of Value Recovery

As we have seen, the number of uninsurable risks is growing and in many cases these risks are also becoming more severe. In the absence of risk transfer options, companies should consider how to mitigate these risks while also setting aside resources to help absorb any shocks that do occur.

Based on our many decades of serving clients on this issue, we have derived five drivers of value recovery:

1. Preparedness: Companies need to ensure they have access to the analytical insights required to develop a full understanding of reputation risks and take appropriate steps to help prevent and mitigate potential losses.
2. Leadership: Where events do occur, strong and visible leadership is essential.
3. Action: Companies need to take rapid, targeted, and credible action in response to any event.
4. Communication: Affected companies need to communicate quickly, openly and honestly about both what has transpired and their response.
5. Change: Following the event, companies will need to demonstrate true remorse and a commitment to meaningful change.

Those companies that can use these levers successfully can help mitigate shareholder value destruction and may even gain a reputational boost. Our 2023 research found that companies successfully navigated 17 of the 47 studied cyber attacks, realizing an average increase in shareholder value of 18 percent.9 For the remaining 30 events, however, shareholder value saw an average 21 percent drop. Understanding and mitigating reputation risks can help companies preserve significant value and should be a high-priority investment.