The information and questions corporate board directors need ahead of their next board meeting.

By Rob Sloan, Research Director, WSJ Pro

Oct. 9, 2023 3:33 pm ET|WSJ PRO

What to Know:

How much might a cyber incident cost your business?

IBMreport, but directors should not assume the total cost cannot be significantly higher, especially when considering an attack’s impact on operations.

calculates the global average cost of a data breach at $4.45 million in its annual

Cloroxshared costs associated with the subsequent clean up. The company estimated costs of $25 million for the period ending Sept. 30, related to third-party consulting services such as forensic experts and legal counsel, “as well as incremental operating costs incurred from the resulting disruption to parts of [Clorox’s] business operations.”

disclosed an incident in mid-August and has now

The disruption also led to a fall in sales between 23% and 28% for the quarter, turning an expected $150 million profit for the quarter into a loss. The company’s stock is down 22% since the attack was discovered.

MGM Resorts International

 last week said its operations have returned to normal and virtually all guest-facing systems have been restored after its ransomware incident, first disclosed on Sept. 12.

The company incurred “less than $10 million in one-time expenses in the third quarter,” attributed to technology consulting services, legal fees and expenses of other third party advisors, as well as a $100 million loss on adjusted property earnings before interest, taxes, depreciation, amortization and rent for its Las Vegas resorts and regional operations. MGM said it believes its cyber insurance will be sufficient to cover the financial damage resulting from the incident and operational disruption.

Caesars Entertainmentreported the company paid a ransom to attackers of around $15 million. Costs related to incident response and investigation consultancy can also be expected, though paying a ransom may have shielded Caesars from the degree of business disruption costs MGM experienced. 

has not yet disclosed costs related to its September ransomware attack, but the Wall Street Journal

It is however still early days and the costs for Clorox, MGM and Caesars may continue long after the disruption ends.

Equifax

suffered a data breach in September 2017, but even last year recorded legal expenses of $1.5 million related to the incident, bringing the total estimated total cost of the incident to over $1.8 billion.

Key questions for directors to ask:

How much have previous cybersecurity incidents cost the company?

What would be the financial impact of the company being fully offline for one hour, one day, one week and one month?

Does the company’s cyber insurance sufficiently cover the potential costs of an incident?

What Else to Know:

How good is communication on cyber risk between management and the board?

In a Harvard Business Review article, Keri Perlson, executive director of the research consortium Cybersecurity at MIT Sloan, discusses the findings of her board research and proposes a scorecard for communicating key cyber risks to boards. One of the areas Perlson identified as an issue for businesses was communication between management and the board.

Perlson’s solution, the Balanced Scorecard for Cyber Resilience “combines financial, technological, organizational, and supply-chain indicators, and an aggregated indicator of resilience.” Each of the four quadrants representing finance, technology, organization and supply chain shows the biggest risk, the risk management plan and a quantitative indicator of risk. This allows directors to quickly understand the most critical risks, how they can be managed and how concerned directors should be.

How long does it take your organization to detect and respond to cyber attacks?

CSO Online reported on an EY study of 500 cybersecurity leaders found only around one fifth of respondents are confident about their organization’s cybersecurity approach. The study also found organizations were spending an average of $35 million annually on cybersecurity, but this was not necessarily making companies more secure. Just over half of respondents noted “too many potential attack surfaces” and half said “difficulty balancing security and innovation speed” was a challenge. 

A key concern is the speed at which companies were identifying and remediating attacks. Seventy-six percent said their organization took “an average of six months or longer to detect and respond to an incident.” Once attackers are in a network, they are able to find sensitive data and steal it within hours, meaning the damage is done and the attackers are long gone by the time the breach is found.

Does your business conduct effective cyber due diligence ahead of M&A?

Corporate Board Member included cyber risks among its hurdles for directors to consider when assessing mergers and acquisitions targets. The article quoted Steven Horowitz, a board director at healthcare data analytics company

SCWorx

, who said “It is incumbent that boards ensure management has vetted an acquisition candidate’s current state of cyber readiness.”

Directors should also understand that a business being acquired may have suffered previous incidents that may–or may not–have already been discovered.

Verizon Communications

agreed to buy internet technology company Yahoo! in July 2016, but before the deal was complete the company discovered two major breaches that together affected the accounts of three billion customers. The deal went ahead, but Verizon lowered its offer for Yahoo! by $350 million to $4.48 billion. A subsequent class-action lawsuit was settled in 2019 for $117.5 million.

More details on cybersecurity due diligence in the M&A process here.

Meet the Author

Rob Sloan is research director at WSJ Pro. Rob joined Dow Jones in 2014 and spent several years with the Risk and Compliance product team before moving to The Wall Street Journal newsroom to develop and lead the WSJ Pro Research team.

Read article here.