Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan

Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan
Technology

05 of 07

This insight is part 05 of 07 in this Collection.

September 25, 2023 18 mins

Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan

Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan

The first 10 days after a cyber-attack can be the most damaging. Having a cyber incident response plan in place and ready to deploy can help companies assess threats and develop controls.

Key Takeaways
  1. Taking charge by following clear steps after a cyber event within the first 10 days can help manage a company’s reputational damage.
  2. According to Aon’s 2023 Cyber Resilience Report, nearly 70 percent of overall loss is incurred during the first 10 days in the form of direct losses and cost of management and recovery.
  3. Proactive governance and risk management strategies are crucial to maintain a strong position in the 90 days to follow.

Political and business leaders often have a 100-day plan to make an impact in their roles, but cyber events present a different set of challenges. Instead, it is the first 10 days that count based on our experience.

Day 10 vs. Day 100

The first 10 days after a cyber-attack is crucial for effective crisis management.

  • Most Damage

    66% of this ultimate loss was incurred at 10 days illustrating how the majority of the damage occurred immediately after the event and that any remediation steps taken in the first 10 days will have much greater financial benefits than more delayed actions.

    Day 10 vs Day 100 - Most damage chart_acc1_1
  • Immediate Impact

    Immediate impact stems from direct losses and cost of management and recovery.

    Day 10 vs Day 100 - Long-term impact chart_acc1_2
  • Long-term Impact

    57% of those deemed losers after day 10 remain losers at day 100 which emphasises the importance of acting quickly in the crisis management post event.

    acc1_3
  • Average Loss

    Companies that are ineffective in post-event crisis management have on average suffered 29% more damage compared to the better prepared ones by day 100. Average loss of shareholder value after 100 days was about US$3B.

    Day 10 vs Day 100 - Average Loss chart_acc1_4

Source: 2023 Cyber Resilience Report

“Any remediation steps during the first 10 days post-event should have much greater financial benefits than delayed actions,” says Martin McGovern, Director for Aon’s Actuarial and Data Science practice. “Rapid and effective crisis management can help dampen the potential financial severity of these events and reduce potential catastrophic losses.”

The 10-Day Plan

The 10-Day Plan Having a cyber incident response plan in place and ready to deploy helps affected companies take more proactive steps and make better decisions during a crisis, rather than react in panic mode.

The plan should establish checklists, roles and responsibilities, and a direct line of communication between frontline representatives, responsible persons and decision makers. There should be at least one responsible person from crucial departments, including legal and compliance, communications and PR, finance, HR and customer service.

To be well-positioned for success in the first 10 days of a cyber triggered reputational crisis, businesses can take the following steps.

Assess

Understand the potential reputational impact (from customers, regulators or markets) associated with the first 10 days following a cyber-attack. These insights should better inform critical crisis management and incident response decisions to mitigate reputational harm during this time-sensitive period.

Mitigate

Determine current levels of crisis management, business continuity and incident response readiness and develop appropriate action plans. Ensure that the right resources are in place across operational, legal, communications and threat monitoring capabilities to respond in a timely manner during the first 10 days of an event.

Transfer

Investigate what insurances are in place and ensure understanding of when and how to notify and cooperate with the insurer to best use existing cover. Based on the analysis of reputational exposures during the ASSESS stage, ensure that insurance limits can adequately fund these external resources. Check that notification protocols and service agreements with these vendors are already in place.

Respond

Frequently test the crisis management and incident response plans for a cyber attack. Run cross-team tabletop exercises that involve key vendors and external partners. This will not only improve organizational preparedness, but also give comfort to critical stakeholders, including financial regulators. It’s important to ensure appropriate governance and risk management practices are being adopted to safeguard shareholders such as:

  • Rapid incident response with clear and appropriate communications
  • Implementation of a strong infrastructure to predict and prevent future events
  • Establish clear and consistent insurance and claims protocols
  • Investment in tools to monitor the landscape

“Businesses that plan for, and anticipate, reputational crises and therefore can communicate in a genuine manner, may find that the market not only can forgive, but may also reward those who respond effectively,” says Adam Peckman, Aon’s Global Head of Cyber Risk Consulting and Head of Cyber Solutions in APAC.

Quote icon

Businesses that plan for, and anticipate, reputational crises and therefore can communicate in a genuine manner, may find that the market not only can forgive, but may also reward those who respond effectively”

Adam Peckman
Head of Cyber Solutions, Asia-Pacific

Cyber Governance for Stronger Reputation

While the first 10 days are crucial, it is still important to maintain a strong position in the 90 days to follow. Important governance and risk management strategies include:

Operational response
  • Invoke a business continuity plan: If critical revenue streams or customer services are disrupted, an alternative operating strategy should be implemented to help mitigate the loss. Due to the ubiquity of digital technology across supply chains and production networks, cyber attacks can create systemic disruption. It is critical that these digital disruptions are factored into business continuity programs to minimize the resulting reputational harm from impacted customers and vendors.
  • Find and isolate the breach: Starting with the company’s known vulnerabilities and most critical assets, identify the device or network where the breach occurred, and then isolate the threat to better limit additional damage. Instruct the rest of the company on what IT security actions need to be taken.
  • Accurately identify the problem: Assess the scope of damage to refine the company’s operational and technology response. Make sure the right stakeholders are brought in, the right notifications are made and that all communications are properly managed. This includes customers, impacted data subjects and appropriate regulators. Accuracy is paramount. Being forced to recant or change a previous statement can damage credibility and turn the incident into a PR crisis.
  • Clean up and restore systems: Retrace the attack to reveal compromised data and determine the date the breach took place. Identify the most recent clean backups, and restore or rebuild the system, network and data to their pre-incident state.
  • Remediate cybersecurity gaps: Use the information to strengthen security protocols, refine policies, update response plans and further educate staff and key partners
Communication response
  • Management: Reassure stakeholders and outline a plan to make things right. Identify opportunities to create value.
  • Legal: Report the incident according to relevant laws and regulations, including duty of disclosure requirements for privacy or financial market regulations, listed companies and law enforcement bodies at the local and international levels. Notify partners according to obligations in key contracts.
  • Risk management: Understand all notification obligations and appropriate reporting protocols. Develop a notification plan with the appropriate insurance broker or other insurance professional that considers timing, information requirements and involvement of external partners — such as legal guidance, incident response and claims preparation.
  • Communications and PR: Determine the affected parties and use communication templates to notify them through predetermined channels and according to the predetermined schedule. If the news cannot be contained, issue a timely statement to the public to gain control over the narrative. External communication advice may be helpful for determining whether to shift strategy or change messaging.
  • HR and customer service: Address employee and customer concerns, especially if their data was stolen.

“Companies can use the abovementioned tools to respond swiftly and effectively during cyber crises, seizing the opportunity to control the reputational narrative and minimize damage to their overall brand,” says Christian Hoffman, Aon’s CEO for Cyber Solutions in North America.

Better Decisions for Better Results

Case Study 1: Delayed Action Disrupts UK Telco TalkTalk
  • Event
    • Website down due to “technical issues”, i.e., a cyber attack
    • 4 million customers initially feared impacted
    • 16 days later, 157,000 customers confirmed affected
  • Immediate Post-Crisis Result

    • US$60-70M in exceptional costs
    • Loss of customer trust derails growth plans

  • Response
    • Well-intentioned communications, but issued piecemeal
    • CEO apology video released 2 days after attack became public
    • Technical coherence sometimes lacking, undermining credibility
    • Underestimated time to return to operational effectiveness
  • End of Post-Crisis Year Result
    • One-third of shareholder value lost (approximately US$1.4B)
    • Trading revenue cut by over US$20M
    • 101,000 customers lost
  • Lessons

    • Test the plan regularly
    • Match response to the evidence
    • Expect scrutiny and be technically coherent
    • Respond immediately, or others will

Case Study 2: U.S. retailer Home Depot Unlocks Value in Adversity
Home Depot chart_acc3
  • Event

    • Security breach of payment card systems
    • Malware was custom-made to avoid detection
    • 56 million debit and credit cardholders compromised

  • Immediate Post-Crisis Result

    • US$10B in losses
    • The largest data breach of its kind

  • Response

    • Chairman’s response was immediate, unwavering and empathetic
    • Incident Response Plan activated
    • Free credit monitoring, retired affected terminals, eliminated malware
    • Enhanced encryption technology rolled out

  • End of Post-Crisis Year Result
    • Shareholder value climbed 25 percent (over US$30B)
  • Lessons

    • Respect the fears of customers
    • Prevention is better than cure
    • Rise to the occasion and make things right
    • Respond instantly with a clear focus

Quote icon

Any remediation steps during the first 10 days post-event should have much greater financial benefits than delayed actions”

Martin McGovern
Director for Aon’s Actuarial and Data Science Practice
Authors
  • Richard Waterer
    Global Risk Consulting Leader, Commercial Risk Solutions
  • Jason Disborough
    CEO of Multinational Clients (International), Enterprise Client Leader, Aon
  • Martin McGovern
    Director for Aon’s Actuarial and Data Science Practice
  • Adam Peckman
    Head of Cyber Solutions, Asia-Pacific
  • Christian Hoffman
    Global Cyber Leader

General Disclaimer

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter of modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details. The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner