Share via email

Cash is the lifeblood of business, whatever the industry, sector or size. We take a look at why making sure your business is ‘cash flow fit’ is so important in a climate where cyber-risk is an increasing threat.

"Almost every type of business today uses technology in some form to generate revenue," says Giles Taylor, Head of Data and Cyber Security at Lloyds Banking Group. "On the one hand, harnessing technology is really driving us forward as a society, but at the same time, it makes us more vulnerable if something goes wrong. Over the past few years cyber criminals have woken up to this dependency and the volume of attacks and the impact of those attacks has increased dramatically."

High profile cyber-attacks, such as the NotPetya attack in the Ukraine in 2017 and the Wannacry attack on the NHS have shifted awareness that cyber-attacks are a risk that don't just impact the IT department, but that can have crippling effects on operations and financials. According to a report from McAfee, in 2017 the estimated cost of cyber-attacks globally was between $450 billion and $600 billion1.

"Companies of all sizes need to undertake some sort of risk assessment, that involves evaluating the risks that are specific to their industry, and then doing a likelihood and impact assessment"

Llewelyn Mullooly, Director of Working Capital, Lloyds Banking Group.

Learning the lessons

It's against this backdrop that cash flow or liquidity becomes even more important. "One of the key lessons from the financial crisis for businesses in every industry was that short-term liquidity is crucial for survival," says Llewelyn Mullooly, Director of Working Capital, Lloyds Banking Group.

"That's why we spend so much time helping our clients understand their working capital, so that they can manage their cash flow more effectively. Cyber-risk and cyber-security, and their financial impact, is just another element in managing your working capital and managing your cash flow. Everyone, whether they're the owner of a small business or the treasurer of a multinational company, faces the challenge of forecasting their cash flow and managing short-term liquidity risk. Now it's really important that they include cyber-risks and cyber-security on that agenda."

Contingency planning

Whilst many businesses will have contingency plans in place to manage the impact of traditional crises, such as fire or flood, on their business, a lack of appreciation of the potential scale and scope of a cyber-attack can leave them at significant risk, as Giles points out: "With say a fire or a flood it's generally very well understood; you've got a passive adversary, so the fire is either burning or it's not, and the water's coming up or the water's going down. With a cyber-attack, the consequences could be much more invasive for your business, and much more destructive. Thinking through what those increased consequences could be and how you cover that over the short term is critical."

Increased demands on cash

Some of the immediate impacts could include loss of ability to make or receive payments, loss of communication, interruption of your supply chain, paralysis of systems and operations – anything from your email going down to a production line being halted. At the same time, costs start to spiral – forensic costs of understanding, fixing and preventing the issue from happening again, perhaps additional staff to undertake manual processes whilst automated processes recover, or even capital expenditure on interim systems so that normality can resume as quickly as possible.

"With all of that going on, the burden on your cash is really going to increase," explains Giles. "What businesses also need to remember is that, if you've lost your IT systems, you may not be issuing invoices. So, you've got all these additional bills to pay, and yet there's no money coming in. It could be a real challenge for businesses who haven't planned ahead and who don't have a cash flow buffer available."

Assessing and managing your risk

So how can you make sure that your business is cash flow fit in the face of a cyber-attack? Contingency planning is obviously important, considering all of the technology touch points for your business and how each will have a financial impact, how long recovery will take and whether your cash reserves are sufficient to cover that.

"Companies of all sizes need to undertake some sort of risk assessment, that involves evaluating the risks that are specific to their industry, and then doing a likelihood and impact assessment," says Llewelyn. "Once you've done that you can then actively manage those risks by transferring them, avoiding them, or reducing them. Practically, what that means for any company is that the finance or the treasury department needs to work along with IT; they need to be involved in the risk assessment of their financial systems. But, they also need to include all of these scenarios that are specific to their industry – they need to include that in their cash flow forecasting, their scenario analysis, or for larger companies, their liquidity risk strategy.

"Once they understand what the range of impacts are for their specific business, there are a couple of options financially. They can either take out some form of cyber insurance, which is a growing area of insurance as this risk evolves. Or, they have to assess whether they hold enough liquid assets, whether they need to hold additional liquid assets as a buffer for this type of risk so that they're able to withstand a short-term impact as well as some sort of long-term rebuilding phase of IT systems and reputational damage."

With the right kind of planning, that takes a holistic view of the potential impact of a cyber-attack, and a carefully thought out approach to your cash flow, you'll give your business the best chance of responding and recovering from a cyber-attack.


       Share via email

Related links

Cyber security guidance report

Download our cybersecurity guide for help on how to manage the cyber-threat facing your business.

Cyber security

We take cybersecurity seriously and we’re working with leading authorities to support our customers to understand and manage their exposure to potential cyber-attacks.

Fraud - protect your business

Help protect your business and stay one step ahead of the fraudsters.

Important legal information

Lloyds Bank is a trading name of Lloyds Bank plc, Bank of Scotland plc, Lloyds Bank Corporate Markets plc and Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH.

Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Lloyds Bank Corporate Markets plc. Registered office 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 10399850. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278, 169628 and 763256 respectively.

Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH is a wholly-owned subsidiary of Lloyds Bank Corporate Markets plc. Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH has its registered office at Thurn-und-Taxis Platz 6, 60313 Frankfurt, Germany. The company is registered with the Amtsgericht Frankfurt am Main, HRB 111650. Lloyds Bank Corporate Markets Wertpapierhandelsbank GmbH is supervised by the Bundesanstalt für Finanzdienstleistungsaufsicht.

Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.

While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Lloyds Bank for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances. Specific advice should always be sought in each instance.