Stop a cyber crisis turning into a cash crisis
Read time : 7 mins Added: 11/02/2019
When a cyber-attack happens, costs can quickly escalate. It’s not just about adding a patch to a compromised computer or network system. We take a look at the true financial impact of a cyber-attack on businesses and what steps you can take to reduce your risk, respond and recover.
"When you think about cyber risk, you think about someone stealing information, but it's so much broader than that," says Llewelyn Mullooly, Director of Working Capital, Lloyds Bank. "The financial impact, no matter what business you're in, can be severe and widespread. If you're running a coffee shop, for example, and your payment system goes down, it means you're not able to take card payments. You potentially lose revenue but you're probably still paying staff and suppliers, so there's an immediate impact on your cash flow.
"Forecasting your cash requirement, depending on different scenarios, is going to be critical to your risk management."
Giles Taylor, Head of Data and Cyber Security at Lloyds Bank
"If you're a manufacturer, a ransomware attack could impact your entire production process, which will have a longer-term impact on your cash flow and business finances. An online retailer whose website goes down will see a loss of revenue and potentially a loss of customer information, which could lead to a fine as well as reputational damage. Whatever sector you're in, the risks are not just operational and IT, but financial."
The immediate priority for many businesses in the face of a cyber-attack is to get their systems back up and running as quickly as possible. Depending on the complexity of their systems and the nature of the attack, this can take anything from a few hours, to months. During that time, you need to be able to continue to service your existing customers and run customer operations as normally as possible if your business is to survive. Achieving that whilst your IT systems are compromised or paralysed can add a significant burden to your finances.
"That could mean drafting in additional staff to undertake processes manually or even capital expenditure on temporary systems to enable the business to get back to some form of normality," says Giles Taylor, Head of Data and Cyber Security at Lloyds Bank. "The other issue that people may overlook is that, if you've lost your IT systems, you may not be issuing invoices. So, you've got all these additional bills to pay, and yet there's no money coming in."
Beyond the initial aftermath, the costs of a cyber-attack can continue to escalate, and not just in terms of rebuilding systems. Forensic and associated costs to establish the root cause of an attack and ensure that a similar attack is unlikely to be successful, can be significant. Customer redress or compensation can also add up, as can more indirect costs, such as loss of output or reduced productivity. The Wannacry attack, for example, in 2017, is estimated to have cost the NHS £92m in direct and indirect costs.1
"Regulatory fines can also mount up," says Giles. "The introduction of the EU General Data Protection Regulation (GDPR), for example, means that firms can be fined up to 4% of their global turnover for breaches of data security, so attacks that compromise customer personal data could be very costly. Other regulators also take a dim view of businesses whose actions or indeed inactions have made them susceptible to a cyber-attack."
Reputational loss and a decline in customer goodwill can also have an impact across both the short and longer-term and can reduce brand equity as well as sales. If a cyber-attack on a retail business leads to customer loss through leaked credit card details, a manufacturer's system is compromised and orders delayed, or a coffee shop's card machine frozen, customers may be forgiven for looking for more reliable alternatives.
So, what can firms do in the face of an increased risk of cyber-attack to reduce the financial cost to their business?
- Reduce the risk of your business falling victim in the first place. Robust IT and system security may seem obvious, but regularly reviewing this is essential as both security and threats to it move on rapidly.
- Train staff to lessen the business' exposure (for example, not clicking on dubious links) as well as to identify potential threats.
- Firm up your processes to ensure that any patches or updates are applied quickly.
- Create a clear plan to manage a cyber-attack. This can significantly reduce the amount of time a business takes to recover.
For more information on how to manage cyber-risk take a look at our brochure.
"Like a lot of risks, when you're actually going through an attack your options are usually quite limited," says Llewelyn. "It requires a lot of planning and forethought. Depending on the size of company you're managing, having a risk strategy or policy that looks at the likelihood and the impact of the risks and then developing a plan to manage that, is vital – whether that plan is avoiding the risk, transferring the risk or reducing the risk. Modelling the cash flow impacts of the risks that you've identified can be instructive."
The risks a business faces will depend, in many cases, on the nature of the business and industry. Understanding how technology is used within your business and the operations it touches, can help you appreciate the scope and scale of the financial risk connected with a cyber-attack.
Cyber insurance is a growing area as more and more businesses are becoming aware of the potential damage that a cyber-attack can cause. "Whilst insurance will go so far to mitigate some of the risk businesses face, the challenge sometimes is that cyber-attacks can be very complicated, and it may not be clear exactly what's happened and whether it's covered under the policy," explains Giles. "There could also be a period of time where you're going to need to cover an increased call on cash, before your insurance pays out or, in cases where it doesn't, until you've generated enough revenue to cover your costs. Forecasting your cash requirement, depending on different scenarios, is going to be critical to your risk management. And that could even be periods of up to one or two years, depending on how sophisticated your business is."
"It also means having the right sized cash buffer to see through any temporary shocks. Most larger companies will have a complex liquidity risk strategy to calculate this cash buffer and will need to add a range of cyber-attacks to this; smaller companies will need some cash flow scenario planning just to get a sense for the financial risk. For certain companies, depending on the type of assets they hold, a short term cash flow shock can be far more dangerous than the longer-term reputational or operational risk," adds Llewellyn.
Balancing understanding the potential impact of a cyber-attack with planning your response, risk mitigation with insurance, can help your business recover more quickly when the worst happens. Getting to grips with the fact that cyber risk is a risk facing the entire business rather than just IT is an important first step.
"Short-term liquidity is the life support of any business," says Llewelyn. "That's why we spend so much time helping our clients understand their working capital, so that they can manage their cash flow more effectively. Everyone, whether they're the owner of a small business or the treasurer of a multinational company has the challenges of forecasting cash flow and managing their short-term liquidity risk. What's really important is that they include cyber-risks and cybersecurity on that agenda."
Important legal information
The products and services outlined on this site may be offered by legal entities from across Lloyds Banking Group, including Lloyds Bank plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc and Lloyds Bank Corporate Markets plc are separate legal entities within the Lloyds Banking Group.
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service. Please note that any data sent via e-mail is not secure and may be read by others.
Lloyds Bank is a trading name of Lloyds Bank plc, Bank of Scotland plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no.2065. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Lloyds Bank Corporate Markets plc. Registered office 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 10399850. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278, 169628 and 763256 respectively.
Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.
Lloyds Banking Group includes companies using brands including Lloyds Bank, Halifax and Bank of Scotland and their associated companies. More information on Lloyds Banking Group can be found at www.lloydsbankinggroup.com
While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Lloyds Bank for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances. Specific advice should always be sought in each instance.