Posted in:

Reputational Damage: standing in the line of fire

Reputations tarnished by a successful data breach can make a bigger financial impact on an organisation than cyber-swiped funds or assets. By James Hayes.

Warren Buffet once said “it takes 20 years to build a reputation and five minutes to ruin it… If you think about that, you will do things differently”. It’s not known if the business magnate spoke from bitter experience, but he would certainly be apprised of the importance of a sound reputation as a business enabler.

Reputational damage is a concomitant of reputational risk. As Deloitte has pointed out, reputational risk is interconnected with other business risks more closely than any other type of liability. For example, an industry regulator’s censorious advice can turn into a reputational risk if it becomes subject to media misinterpretation.

The same goes for other risk types, such as the corporate culture, financial results, and of course, cyber security resilience. Arguably, no other phenomenon now has a greater impact on brand reputation than being victimised by a successful hack attack. Indeed, this phenomenon has, over the last decade, served to teach executive leadership across a range of vertical sectors just how critical their organisations’ reputations are – and just how vulnerable they are to impairment that can result from even comparatively minor cyber incidents.

‘Organisations’ exposures to reputational threats have never been greater and continue to grow with the proliferation of digital media,’ Deloitte reports. ‘Threats to reputation can emanate from other risks, yet reputation itself stands among [an] organisation’s most valuable assets, and must be managed proactively… This is one of the few risk domains that chief officers and board members can directly control’. Such eventualities have resulted in a fundamental thought change around reputational risk. Traditionally, senior executives have seen reputational jeopardy as a consequence of other things that happen, Deloitte has noted, rather than a defined risk type in itself: ‘a risk of risks’, rather than a risk in its own right, as it were. Deloitte has further stated that if that question had been asked five years ago, likely no one would have seen reputational risk as a standalone risk. This viewpoint has been upended by successive disclosures about cyber attack events, and the rise of social media as an influencer of public perception.

Given all the potential causes for a reputation impact incident, many organisations are now aware – sometimes by dint of painful experience – that even the most redoubtable enterprise reputations are perpetually vulnerable to damage – damage that can prove slow or hard to recover from, even when not altogether warranted or fair. More than any other reputational threat type, cyber attacks have highlighted also the ways in which a stainless reputation is one of an organisation’s most valuable assets.

Reputation and brand value may be intertwined, but it has become clear in recent years that while brand value may provide a winning proposition when it comes to customer engagement and market share, attracting strategic partners and favourable analyst opinion, it is also a vulnerable attribute that can be quickly tarnished as soon as knowledge of a cyber attack enters the public domain and becomes much picked-over media fodder.

The intrinsic nature of reputational damage is being quantified in terms of overall reputational risk models. Two realisations that have shaped this in the light of recent studies are, first, that a successful cyber attack that results in a data breach, for example, can incur more financial loss than the monetary value of stolen data assets or funds. Secondly, reputational damage sustained following a cyber attack can hurt business or fund-raising operations more than can the lawful actions of your competitors.

An April 2019 article from Raconteur also highlights the fact that reputational risk has traditionally been seen as ‘an outcome of other risks and not necessarily a standalone risk’. As Deloitte also suggests, this view has been gradually changing, Raconteur explained, as it becomes increasingly clear that reputation is now ‘critical to the viability of a company’ and deemed part of the intrinsic value of brand or product assets.

Aon’s Global Risk Management Survey 2019 points out that whenever a business undergoes a ‘reputation event’ it cuts to the core of their brand’s perception. ‘Technological developments have heightened reputational risk by making it easier, cheaper and faster for news to be propagated,’ the report adds. ‘The combination of [the] 24/7 news cycle with widespread use of social media puts brands at risk for long-term negative consequences, both in public perception and in the marketplace.’ According to some other recent surveys, many organisations are alert to the fact that cyber threats pose the biggest challenges when it comes to mitigating the risks of reputational damage.

Sixty-six percent of respondents to the Business Continuity Institute’s 2018 Cyber Resilience Report considered reputational damage as ‘the most concerning trend’ when it comes to cyber security incidents, and rated it ahead of the adoption of IoT devices (54%) and cyber attacks with physical security consequences (46%).

Fifty-three percent of respondents to the same survey rated a consistent PR strategy to mitigate reputational losses in the event of a cyber security incident as being the third most important feature of their enterprise business continuity strategies.

Increasingly, the ‘cost’ of reputational damage is being factored into assessments of the total financial impacts of cyber data breaches. In general terms, the cost of data breaches continues to increase year by year, according to figures from the 2018 Cost of a Data Breach Study by Ponemon

Institute (sponsored by IBM Security), with reputational and regulatory costs identified as main drivers of the increase for 2018. In 2018, the average cost of a data breach globally was €3.47m – a 6.4% increase from 2017, Ponemon Institute estimates. (This due to so-called ‘mega breaches’ where 1m-50m records are compromised, resulting in losses between €35.98m to €314.84m.)

It is reasonable to infer that ‘indirect losses’ – which include customer churn, business interruption, and management strategies to handle the breach – were significant contributors to these large losses. Large-scale breaches (of more than 1m records) typically cause reputational damage to the affected company, which results in share price reduction and loss of customers for some period, the Cost of a Data Breach Study notes.

As the Centre for Risk Studies Cyber Risk Outlook 2019 report explains, organisations should be aware that significant indirect losses can stem from reputational risk caused by data loss events. Stock price decreases, and increased customer turnover, following a data loss incident can cause major revenue loss. In 2018, for instance, Facebook suffered a data breach that resulted in an estimated 50m accounts being compromised. The day the breach was disclosed, Facebook’s share price fell by 3%, wiping $13bn (€11.68bn) off the company’s market capitalisation ( Facebook may also face a penalty if found to be in violation of GDPR.