Risk Quantification and Transfer: Learn the Hidden Costs of a Cyber Attack

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

It’s simple. You can’t manage financial risks you don’t know about. You can’t quantify risks you know nothing of. You can’t create risk mitigation plans. You can’t knowledgeably accept the risk. You can’t transfer the risk, either. In short, you’re just not ready for it.

Having a granular understanding of all the financial losses that can result from a data breach incident is essential to building resilience against an attack.

Often organizations lack a comprehensive understanding of the financial loss from cyber risks. For example, what’s the first thing that comes to mind when you think about damages from a major cyber attack? Loss of trust in your company? Regulatory fines?

All of these factors can contribute substantially to the total cost of a data breach. But there are many, many more expenses to consider. Ones you might not think of until it happens to you.

Let’s start with the most significant first party costs.

Following a breach, the organization can expect to incur costs from: external public relations and crisis communications agencies; outside counsel; incident response investigators; an immediate or extended material outage; continuity and restoration expenses such as leasing other IT infrastructure; and lawsuits filed by clients and customers.

But these are just the more obvious ones.

Third parties may also face losses arising from your attack and you may be responsible for them. For example, if you’re an IT provider you may have a consequential revenue loss. Say you run a booking platform and no one can buy tickets from your clients’ sites. Your clients may lose revenue since they can’t sell tickets because of your outage, and they may be indemnified on their loss. Or you’re holding a client’s customers’ personally identifiable information or personal health information. The client may be facing law suits, regulatory fines, and civil penalties that you could also be responsible for. A third party’s restoration expenses could also come back to you if malware is involved and it has spread from your system to theirs.

And that’s not all. Cyber breach expenses are often assumed to stem from breach of privacy, but first party and third party losses can be tangible, too. Not long ago, a steel manufacturing facility in the EU had significant property damage in the eight-figure range from a cyber attack. As trains and cars, for example, become operated more remotely, there’s risk of physical property damage and bodily injury. The same goes for energy companies with all of their SCADA systems, and chemical companies with safe operations reliant on tightly controlling the specifications of their product, as well as the environment of production and transfer.

To begin uncovering your own organization’s hidden cybersecurity risks, engage in proactive risk assessments and tests. This includes penetration testing to examine your network’s defenses, red team testing to see what an intruder can achieve once inside, an incident response readiness assessment to make sure the appropriate people are prepared to react in the event of attack, a third party risk assessment to learn how your partners and vendors impact your risk posture, and optimally, a 360-degree cyber risk assessment to gain an understanding of the full spectrum of your risks—and they’re possible financial impact.

When it comes to risk, you’re not prepared if your risk mitigation plans are based on assumptions or hypotheticals. The first step is awareness and understanding the full spectrum of risk. Because only then can you really make sure you’re ready to handle it.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber, Transfer

I am: In the C-Suite or a Director

Tags: cyber attack, quantify, transfer


Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.