• Mike Yeomans, Manager |
5 min read

For organisations, cybersecurity is taking centre stage. With the new hybrid model of working in place, cyber risks are bound to increase and evolve. They have topped the list of identified threats for businesses and organisations. And we all know, if not managed properly, cyber risks can lead to both financial loss and reputational damage.

Boards and senior management are constantly looking for metrics to quantify, mitigate and manage cyber threats. With the right set of metrics and framework, one can easily quantify financial loss caused by a cyberattack. However, companies find it challenging to calculate the reputational damage. Some even believe that such reputational damage can’t be assessed financially.

However, I think it is possible to measure reputational damage by looking at the right metrics. In this blog, I will talk about eight important metrics to help quantify reputational impact.

Share value: When attributing a cost to reputational impact, a drop in the share value is one of the most obvious metrics to adopt – at least for publicly listed firms. While stock prices do tend to recover after their initial dip, an often-cited comparitech blog from 2017 demonstrates that these stocks then consistently underperform peers on the NASDAQ. This is correlated both by a 2020 New York University study and a 2018 academic paper which also noted strong corporate social responsibility credentials as one of the best mitigations to reputational impact.

Insurers also look at share value as a metric for reputational impact. They now offer products designed to pay out in the event of the kind of sudden price drop of the kind witnessed after a breach of cyber security.

PR firms and advisors: Another metric to consider is the cost incurred from the specialist advisors who help with a media strategy to get the messaging campaign right. A wrong media strategy can be disastrous so getting the expertise of a PR firm is vital - but it comes at a cost. Their services are often covered as part of reputational impacts by insurance policies, so it is evidently something that can be financially quantified. While perhaps not the total cost of reputational impact, PR advisors can be reliably measured, so this outlay is a dependable, if incomplete, metric. 

Complaints hotlines: A rise in complaints can require organisations to hire or contract extra staff to handle complaints hotlines and social media channels. This surge resourcing can come at a premium and – like PR advisors – is vital to prevent more serious fallout. It is also a cost that is readily measured and can be used to quantify reputational impact. However, ensure double counting doesn’t occur when also appraising the cost of the incident response.

Loss of customers and sales: A drop in the number of customers is also a measurable way to assess reputational impact in financial terms. Centrify/Ponemon and IDC report between 65 percent and 87 percent of customers would take their business elsewhere after a cyber security breach, which occurred to a number of major firms that lost tens of thousands of clients after suffering cyber security breaches. In lieu of metrics such as account or subscriber numbers, techniques such as the relief-from-royalty method can be used to quantify the devaluation of an organisation’s intangibles that can occur after a breach.

Higher audit burden: Suppliers and key customers of a firm that has been breached are more likely to be nervous about the cyber security arrangements of an organisation that’s been breached. This can lead to more audits and possibly even require certification against standards like ISO 27001 or equivalent before trust is sufficiently re-established. This added compliance burden comes with a cost

Legal fees and private investigations: High costs can be associated with recovering intellectual property (IP), fighting sale of counterfeit products, and defending trademarks. These bills can stretch to millions, with lawsuits that can last years. Such work is regularly required to stop loss of sales and further loss of customers due to association of your brand with poor quality, knockoff goods.

While not all legal costs can/should be linked to reputational protection – care should be taken over which ones to include as a metric – the costs can be clearly accounted for, helping to quantify reputational impact.

Costlier credit and insurance premiums: A rise in the cost of credit as well as increased insurance premiums are known to be associated with cyber incidents. To creditors, a breach shows the organisation is less reliable, riskier, and correspondingly, it must pay more for financial services; its reputation is no longer as valuable in commanding respect or trust on the financial markets.

Increased cost of medical treatment: In the healthcare sector (increasingly a target of cyber attacks), reputational impact can be assessed by estimating at the increased cost that is incurred when patients delay initial contact with their doctor. Cyber breaches cause a loss of confidence in a healthcare provider, which is a known factor for patients delaying or postponing treatment for illnesses. A delay means that diseases become more severe and costs of treatment go up, providing a tangible way to price reputational impact, even for public sector organisations.

The above examples are neither exhaustive nor applicable to every organisation and incident. None are perfect and a degree of maturity may be required to initially track the associated data. But that tracking can begin now.

With the right metrics established, the tracking, management, and mitigation of reputational impact can begin. Pre-emptive planning and the use of incident response teams are the most effective measures to minimise reputational impact. The mitigation should start well in advance so that when the time comes, you are ready to handle the incident well to minimise any fallout.

Our team of experts at KPMG can help you in planning and executing cyber risk quantification assessments that will assist in identifying mitigation strategies early on to minimise any damage. We can also assist you in determining the framework and metrics best suited for your organisation. 

  • blog-mike-yeomans

    Mike Yeomans

    Manager, Cyber Risk Modelling and Quantification

    Blog articles