Moody’s Investors Service said recently that reputational risk from cyberattacks is rising for many companies globally, as episodes have become more publicised.
In the past, many companies avoided disclosing cyber incidents, fearing such disclosures could invite further attacks or damage their reputation. These episodes pose varying degrees of credit risks depending on the sector, size of the company and its relationship with the customers.
“Companies whose customers can easily switch to a competitor or whose business activities rely more heavily on trust are more exposed to reputational risk stemming from cyberattacks,” Moody’s said in a report.
“These risks are growing because of increased disclosure of attacks, both from cybercriminals, who are increasingly identifying the organisations they attack, and from more stringent disclosure requirements put in place around cyber events. Cyber resiliency planning and crisis management actions are essential components to mitigate the risks,” it said.
Key findings of the report :
- Cybercriminals are now publicly identifying the companies they attack, and new laws and regulations are requiring companies to notify the customers and stakeholders whenever data is compromised, the report said.
- These increased disclosures are allowing customers to learn more about a company’s cyber track record and to factor cybersecurity into their business decisions.
- Disclosure also brings in reputational damage brings higher costs and can weaken revenue. A company having damaged reputation can result in increases in the cost of capital, regulatory costs and additional costs for attracting and hiring talent.
- Companies with damaged reputations may also lose the support of customers, investors and other counterparties, causing a reduction in revenue.
- Organizations with lower customer bargaining power or confidence-sensitive business models have more exposure to cyber-related reputational risks.
- Companies can employ various strategies to reduce customer churn and limit reputational harm, although these strategies can be expensive or frustrate customers, the report suggested.
- Healthcare and financial institutions are particularly at risk because of the sensitive data customers entrust to them, and the relative ease in switching providers.
- The report also said the biggest cause of increased disclosures in recent months is a change in criminal behavior. Cyberattackers have become more targeted when launching ransomware attacks. Ransomware gangs previously only named entities that refused to pay the ransom,” the report disclosed.
- A new tactic to coerce payment is to name all entities that have been attacked and release private data of those who do not pay the ransom. Many companies have taken the attitude that they have no choice but to acknowledge the ransomware attack once attackers identify them publicly.
(Image courtesy: www.cybersecurityjobsite.com)