Welcome to the second instalment of the 'When IT hurts, it hurts' series on cyber attack loss. Coinciding with the release of MinterEllison's cyber survey report, Perspectives on Cyber Risk (the Report), this series focuses on key areas of loss that an organisation may suffer as a result of a cyber attack, and key strategies to mitigate that loss.

Today's blog post looks at our cyber survey respondents' most feared exposure – negative brand perception and reputational damage.

Consumers will tend to avoid organisations who they perceive to be data sieves, or have otherwise been shown to have carelessly exposed their customers' personal information to hackers and other third parties. Front page news with words like 'vulnerability', 'data breach' and 'hacked' may cause consumers (and businesses) to stay away from these organisations (at least in the short term). 1

The loss

The quantifiable fallout from adverse publicity flowing from a data breach is customer churn, a drop in sales, increased advertising expenditure (to reaffirm the organisation's brand image), loss of corporate know-how (if employees leave), and increased compliance costs as regulators opt to scrutinise the affected organisation.

Examples where this has occurred include:

  • Target's precipitous year-on year-profit decline of 46% following its 2013 data breach;2
  • eBay's forecast revenue drop of around US$300m following its 2014 data breach;3
  • Australian technology company Distribute .IT's loss of many key staff at a critical time during its 2011 data breach (a data breach that ultimately led to the company's failure); and
  • TJX Companies Inc spending, or setting aside, around US$250 million in data breach-related costs (including ongoing discounts to entice customers back to its stores).4

Mitigation strategies

Mitigating brand damage is critical to the continued wellbeing (if not survival) of an organisation affected by a highly publicised cyber breach.5 If executed strategically, it can even help to turn an organisation's brand around and demonstrate to customers that it can be trusted.

There are a number of strategies that an organisation can adopt to mitigate reputational loss (and, in some cases, even enhance its brand), including:

  • engaging in pre-breach planning, including by creating and maintaining a comprehensive data breach response plan. The response plan should (amongst other things) set out the process by which the organisation proactively and expeditiously deals with its stakeholders, regulators and the media (including when a data breach notification might be made), and should dovetail into the organisation's crisis management plan
  • training all employees in relation to these plans (including how to respond if they are notified of a data breach)
  • should a data breach occur, ensuring that the executive team operates as a cohesive unit (through communication and regular briefings) so that everyone is on the same page, particularly in relation to customer communications
  • monitoring the media (including social media) and other information sources to understand what is occurring in relation to the organisation's brand, and responding as necessary (again, in compliance with the organisation's crisis management plan);
  • putting the customer – not the organisation – first when it comes to customers' personal information and the potential impact a breach could have on them (particularly where there is a risk of serious harm);
  • taking steps to rebuild public confidence and loyalty in the brand, and where appropriate ensuring that there are positive stories about the brand for the media to report on, not just negative ones. Such measures may include:
    • providing free credit monitoring to affected customers;
    • offering discounts or incentives to retain customers or entice them to return;
    • providing clear and honest explanations of what has occurred, in a manner that is understandable to customers, and using channels that are appropriate for that organisation (which may include social media channels);
    • demonstrating what the organisation has learnt and what new measures or features it has put in place to rebuild trust; and
    • informing customers of any increased security measures introduced as a result of the cyber attack, including how this will protect customers' information going forward.