Beneath the surface - exploring the hidden costs of a cyber attack

In today's interconnected digital world, cyber-attacks have become common, impacting businesses, government agencies, and individuals alike. The rapid shift of digital technology in the APAC region, accelerated by the pandemic, has led to a significant increase in cyber-attacks. In the first quarter of 2023, APAC experienced an average of 1,835 attacks per organisation each week, compared to the global average of 1,248¹. 

The immediate financial impact is often widely reported and evident, with companies facing direct losses from extortions and system and data restoration. While these financial losses are severe, they are just the tip of the iceberg. Beneath the surface are hidden costs, including reputational damage, loss of customer trust, and operational disruptions, and these often outweigh upfront expenses, making up 90% of the total impact of a cyber-attack².

What are the hidden costs of cyber-attacks?

1.    Reputational Damage 

Reputational damage is one of the most profound hidden costs of a cyber-attack, especially in cases where sensitive data is compromised. Trust is crucial in any business relationship, and a cyber-attack that exposes sensitive data can significantly erode this trust.

For example, in 2018, Singapore’s largest healthcare group, SingHealth, experienced a data breach that compromised the personal data of 1.5 million patients, including then Prime Minister Lee Hsien Loong. This incident not only damaged the organisation's reputation but also eroded public trust in the government and the healthcare system. Following the breach, over 60% of affected customers reported a loss of trust in Singtel, leading to a 3% drop in its share price³. Furthermore, analysts projected a 5-10% decline in brand value, while customer churn – both in terms of migration and loss of value – rose by 15%, with negative social media mentions increasing by 30%⁴.

2.    Loss of Customers and Revenue 

Reputational damage frequently leads to significant customer attrition and revenue loss. A breach can be perceived as a severe infringement on personal data protection, leading customers to question the organisation's ability to safeguard their information and to seek out alternatives, which can cause a substantial decline in both customer base and revenue. Many small and medium-sized businesses don't have the customer base to endure the reputational damage.

According to JP Morgan, Singtel-owned Optus lost 65,000 post-paid mobile subscribers, or 1.1% of its customer base, in the three months following its 2022 data breach that 1.2million customers⁵. 

3.    Disruption of Business Operations 

Cyber-attacks can severely disrupt business operations, causing delays and impacting productivity. In some cases, businesses may need to shut down temporarily to address the breach and secure their systems. This disruption can result in missed opportunities, delayed projects, and reduced overall efficiency, affecting both short-term performance and long-term business operations.

One example would be NotPetya, a 2017 cyberattack that appeared as ransomware but was actually destructive malware that caused widespread system failures and significant financial damage. The attack severely disrupted Maersk’s business operations, causing a global halt that impacted 76 ports and over 800 vessels⁶. It destroyed 49,000 laptops, rendered more than 1,000 applications unusable, and led to an estimated financial loss of around $300 million⁷. Critical IT infrastructure was knocked offline, and Maersk had to rebuild its entire IT setup, reinstalling thousands of servers and applications across 600 sites in 130 countries.

4.    Impact on Business Partners and Stakeholders in Supply Chain

In today’s interconnected world, businesses rely heavily on their partners and stakeholders for seamless operations. Disruptions such as cyber-attacks can severely impact this network. When a company experiences issues, its partners and stakeholders often face the consequences, including reputational damage and operational setbacks.

For instance, the 2020 SolarWinds supply chain attack was a major cyber-espionage incident where compromised software updates infected more than 18,000 systems worldwide, causing irreparable damage worth billions of dollars estimated to be 11% of annual revenue or about $12 million per company and disrupting supply chains and critical operations globally, including significant impacts in the APAC region⁸.

5.    Legal and Regulatory Consequences 

Cyber-attacks can lead to severe legal and regulatory repercussions, particularly in regions with strict data protection laws. Companies may incur hefty fines, face legal actions, and experience increased scrutiny, resulting in financial and reputational damage.

An example is the Optus cyber-security breach in 2022 that compromised the data of roughly 2 million customers. Following the breach, Optus, a subsidiary of Singtel, faced a potential AUD 2 million fine⁹ from the Australian Information Commissioner and a class-action lawsuit involving over 100,000 customers seeking compensation¹⁰. The company reserved AUD 140 million for breach-related costs, including identity document replacements, Equifax Protect subscriptions, and a Deloitte review. Ensuring compliance and having robust incident response plans are crucial for mitigating these risks. 

Mitigating Hidden Costs with Cyber Insurance 

While the upfront costs of cyber-attacks are significant, hidden costs like reputational damage, customer loss, and business disruption can be even more severe. Given the significant and varied hidden costs associated with cyber-attacks, businesses need to take steps to protect themselves. 

To mitigate these risks effectively, businesses should prioritise strong cybersecurity and invest in comprehensive cyber insurance. The most robust cybersecurity measures can't eliminate all threats. Cyber insurance is a crucial part of protection; it serves as an essential safeguard against relevant risks around the complexities of cyber threats, including data breaches, business interruptions, and reputational damage. Investing in cyber insurance is key to enhancing resilience, maintaining stability, and securing long-term success in a digital world.

As experts in cyber risks, our cyber insurance policies are tailored to the needs of today’s businesses. Our approach offers both financial protection and expert advice, helping companies navigate the challenges of cyber threats effectively. By combining comprehensive coverage with strategic guidance, we ensure businesses are prepared for both the immediate and hidden costs of potential attacks. 

¹ World Economic Forum, Why is the Asia Pacific region a target for cybercrime - and what can be done about it?  
² PCMatic.com, The Hidden Cost of A Cyber Attack
³ Singtel, Singtel addresses data breach, moves to support affected stakeholders
⁴ Journal of Cybersecurity, Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018 
⁵ Australian Financial Review, Optus crisis to shake up telco market
⁶ CSO, Rebuilding after NotPetya: How Maersk moved forward
⁷ Industrial Cybersecurity Pulse, Throwback Attack: How NotPetya Ransomware Took Down Maersk
⁸ TechRepublic.com, Cybersecurity study: SolarWinds attack cost affected companies an average of $12 million
⁹ BBC, Optus: How a massive data breach has exposed Australia
¹⁰ ABC News, Optus reveals more than 2 million customers had personal ID numbers compromised in cyber attack