In the business world, intrusion into digital systems and data theft by hackers is by far the biggest issue. According to a 2019 Cisco report, as many as 31% of companies and organizations have faced cyber-attacks. A successful cyber-attack leads to data loss, and that entails a loss of reputation, consumers, increased costs.
Having in mind the mentioned dangers, the companies perform anything possible to reduce the risk of their occurrence to a minimum. Yet, many risks remain.
At this point, we will focus on three risks that are interrelated – reputational risk, enforceability risk and litigation risk.
As it is known, the importance of reputation is immeasurable in a corporate environment. It has far-reaching consequences – a good reputation means greater trust in the company of existing consumers and gaining new ones, better quality of services compared to the competition, higher profits and the possibility for faster progress and growth of the company. However, the loss of reputation means the loss of the mentioned benefits, as well.
The impact to reputation is therefore mainly manifested in three ways: 1) the trust of clients in the company is reduced or completely lost 2) claims for damages are raised as a result of the company’s inability to preserve customer data (more in Risk of litigation) 3) decline in the value of shares on the stock exchange.
Having in mind the latter, according to the latest reports, many companies felt the consequences of the fall in stock prices as the cause of the cyber-attack, for at least a year, after the details of the cyber-attack were published.
Reputational risk, especially when it comes to companies that are financial institutions, is associated with operational risk, including legal risk, as well as the risk of inadequate management of information and other technologies relevant to the company’s operations.
Of course, when it comes to outsourcing services, data is by far the most important asset of a financial company, so the issue of data handling needs to be treated with special care.
All companies (especially those present globally) must comply with the regulations of the relevant country. Failure to do so can result in severe penalties from government agencies. For example, the United Kingdom, in accordance with the General Data Protection Regulation (GDPR) from 2018 raised the amount of the maximum fine from 500,000 pounds to as much as 17 million pounds or four percent of annual global revenue (depending on which of the two is greater).
An unprecedented case in Britain was the Tesco Bank Case, when the Financial Conduct Authority (FCA) fined Tesco Bank with 16.4 million pounds after an attack by cybercriminals, due to security breaches and data leaks.
When considering this risk, it is noticed that a special difficulty arises for multinational companies operating on a global level, because different national legislations punish different definitions of risk, which can lead to competitive jurisdiction and even imposition of multiple penalties by different countries.
In consideration of Reputation Risk, we have concluded that the loss of reputation, in addition to the loss of trust and the fall in the value of shares, may as well entail lawsuits from injured parties.
In particular, the GDPR stipulates that a consumer protection body may be formed to bring lawsuits instead of them. However, in many developed countries, such bodies already exist or such powers are given to existing associations (e.g. consumer protection associations).
In the United Kingdom, the Financial Ombudsman Service prepares and increases the number of its teams for processing complaints about services, all with the aim of increasing the number of lawsuits for compensation for mental pain and financial loss caused by cyber-attacks. Although the compensation received by consumers seems too low (just under £ 500 per consumer), this can impose a serious risk to the company and its budget if it operates business with thousands, not to mention tens of thousands and millions of consumers.
All things considered, the only thing companies can do is to regularly test their responses to cyber-attacks and strengthen their defences. Using multifactor identification, training and testing employees in the field of cyber security and monitoring them (to prevent insider trading), storing data on the Cloud and choosing a reliable Cloud provider, antivirus systems – all these measures significantly reduce the risks to cyber security, and reduce the unavoidable costs that accompany them.
Also, contracts on outsourcing of ICT services need to cover and treat all security-related risks, in order to specify who is responsible for control and security.
It is crucial to be in constant readiness and better secured, because it is no longer a question of whether the attack will happen, but when.