Quantifying Business Interruption Loss from a Cyberattack


For all of the spotlight that cybersecurity has received over the last several years, there are still an alarming number of businesses consistently failing to protect their data. Even worse, when these organizations ignore the threat of a cyberattack they are also putting their clients’ data at risk. In the first half of 2019 alone, an estimated 4.1 billion records were victim of a data breach. Even more worrisome? A mere 5 percent of businesses’ file folders are adequately protected.

These cybersecurity statistics are difficult to ignore. Nevertheless, the majority of companies are not taking the proper steps to protect themselves and their clients. So, what will it take for business owners to take this seriously? For starters, it is time for business owners to turn their attention to the massive loss occurring. In doing so, the impact of cyberattacks will be clearly highlighted to finally breed action.

Small to medium-sized businesses are the most vulnerable when it comes to cyberattacks. One of the biggest issues is that these companies invest in an initial cybersecurity plan and then fail to continually manage those efforts. As a result, the ever-sophisticated cyber-attackers adjust and evolve, making it impossible to combat with an outdated strategy.

Today, we discuss the quantitative value of business interruption loss when a cyberattack occurs. By putting it in these terms, it is our hope that business owners will address cybersecurity consistently moving forward.

The Impact of a Cyberattack

The most publicized high-profile cyberattacks tend to highlight a direct loss associated with the data breach. But what about its impact on a larger scale? Surely these security issues extend further than the monetary loss immediately following the attack. Business interruption loss tends to be massive when cybersecurity measures fail. From general business disruptions to damaged reputations to impaired customer relationships, the business interruption loss of a cyberattack is far-reaching.

The concept behind quantifying business interruption loss lays the foundation for distributing the resources and support necessary for proper cybersecurity. The following are the most common areas of loss from cyberattacks:

  1. Productivity: when a cyberattack occur, a company is likely unable to deliver its services or products
  2. Sales: if IT functions are down, a company is unable to process or receive orders
  3. Replacement: in many cases, things like servers or other assets will need to be replaced following an attack
  4. Inefficiency: a cybersecurity failure often results in manual efforts while the system is being restored, making labor efficiencies drop significantly
  5. Response: far too many organizations lack the means necessary for quick response to the hack, resulting in additional meetings and time spent to address the plan of action
  6. Overtime: it is common for employees to put in additional hours following a cyberattack
  7. Reputation: once the perception of your organization is tainted, it is extremely hard to come back without dedicating immense resources to image improvement
  8. Competition: your competition will surely attempt to take advantage of your security issues and capitalize on your customer base

In addition to the above business interruption losses, cyberattacks can also result in monetary penalties from the government. Regulatory agencies like the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) are just some of the roadblocks that could result in fines.

Calculating cyber loss is very similar to calculating typical business interruption losses. Overall, the objective is to fully understand, make record of, and quantify these losses in order to properly assess their impact in the event of an attack. Cybersecurity is all about risk management and those companies willing to invest their resources now will position themselves to save big in the long-run.