Money, reputation, customers – what does a crisis actually cost?
James Thorpe
Share this content
Is investing time and money in crisis management worth it? This is perhaps the most frequently asked question in business environments.
So, if you are asking the same question, good news is – we are here to answer it. The experiences of the last couple of pandemic years, extreme weather conditions, political conflicts have reinforced our argument in favour of it – yes, it is indeed worth the effort and costs!
However, concrete cost-benefit considerations are often difficult to calculate due to a lack of empirical values and reliable figures. Hence, we will dive deep into the topic to explore what needs to be considered to decide whether an investment is worthwhile. In this three-part series of articles, we will explore the questions of what costs a crisis incurs, how to save costs through crisis management and how to approach a cost-benefit calculation.
Part one: Money, reputation, customers – what does a crisis actually cost?
A crisis is defined as an exceptional, unstable situation that threatens a company’s strategic goals, reputation or even its very existence. Such exceptional situations are difficult to measure in every respect – especially in monetary terms.
Even the smallest incidents have the potential to cost a high price. In the end, it is how well a crisis is managed is what determines its expense. To understand a cost estimate, let us first look at where and how the costs arise in the first place.
Supply chain disruptions, tanker accidents, extreme weather events – business crises cost companies heavily – whether it is time, money and, in the worst case, reputation. Cyber incidents, in particular, pose persistent threats to companies across the world. According to the Allianz Risk Barometer 2022, cyber-attacks are the biggest concern for companies, followed by business interruptions and natural disasters.
And rightly so if you look at the recent examples: Cyber extortionists demanded a ransom of USD 2.3 billion from the pipeline operator, Colonial, in May 2021. Shortly before that, Acer was confronted with a ransom demand of USD 50 million for hijacked data. Pharmaceutical company Merck demanded around USD 1.4 billion from its insurance company after a cyber-attack with the Not Petya computer.
These are not exceptional cases but rather a few among the many. These recurring patterns show how cyber-crimes can threaten companies existentially. The increasing number of cases and the ever-rising amounts of damages are also leading to an upsurge in the costs of cyber insurance. In most cases, the insurance policies of insurers no longer cover ransom payments.
Even if we exclude cyber-crimes, data losses can happen due to accidents and even escalate to bigger crises. In March 2021, four data centres at Europe’s largest cloud provider, OHV Cloud, failed due to a major fire, following which, many corporate customers were shocked to discover that they had no backup of their data.
Direct, indirect, little room for negotiation – cost points of a crisis
It’s safe to infer that money is lost in every crisis situation – regardless of its specific nature – due to three simultaneous mechanisms of action.
- Firstly, there are “direct” costs for coping with the situation. These range from recognition of the problem to facilitating the return to “normal operations”
- In addition, there are “indirect costs”, because, for example, planned revenues are lost due to business interruptions or the order volume can temporarily decrease due to loss of reputation
- A third aspect is the possibility of procuring external expertise or material for crisis management. This last part is often carried out under time pressure and thus turns out to be more expensive. Due to the pressure of the situation, decisions are often made on the spot and additional investments are less scrutinised. Thus, additional costs above the usual market conditions need to be factored in. An extreme example of this is, for example, the procurement of masks at the beginning of the pandemic, some of which had to be bought at tens of times the usual market price
From discovery to recovery – the cost factors of a cyber incident
The extent and frequency of cyber-incidents are relatively better documented than most other crises scenarios (most often due to its legal reporting requirements). So, let’s look at the costs of a cyber-attack. The Ponemon Institute in its “Report on the Cost of a Data Breach 2021”, puts the average total cost of a cyber incident at 4.62 million USD.
In the case of a “mega-breach”, i.e., a very large data breach with over 50 million affected data records, the costs increase by a factor of almost 100 to 401 million USD. There are essentially four cost drivers:
- Problem in identification and escalation: In the case of a cyber-attack, these include forensic and investigative activities, assessment and audit services, crisis management and internal crisis communication => Accounts for 33.1% of costs
- Business loss: In the case of online crime, this includes losses due to business interruptions and lost revenue due to system downtime, but also costs for lost customers and the acquisition of new customers as well as reputational losses or reduced goodwill => This is also a big factor, accounting for 32.64% of costs
- Crisis communications: Notifying affected parties through various channels, exchanging information with supervisory authorities or even hiring external experts cause costs here => Accounts for 7.13% of the costs
- Recovery costs: In cybercrime incidents, this includes setting up a helpdesk, monitoring affected accounts or identities, issuing new accounts or credit cards, legal costs, product rebates or regulatory fines => Accounts for 27.13% of costs.
Part two: Hope is not a strategy – how incident and crisis management pays off
“There is no glory in prevention”. Crisis managers knew this long before it became a media experience for virologists and epidemiologists in the COVID-19 crisis. Crisis managers rarely get credit for the fact that nothing or little happens when a crisis is well prevented.
It is simply difficult to grasp what could be gained by preventing or mitigating a crisis. On the contrary, the prevention paradox even leads to underestimating the danger in the future through good prevention. After all, (almost) nothing happened. But good prevention saves costs. How, where and when prevention pays off is the subject of this part of our series.
Of course, the greatest cost savings are made when a crisis does not occur in the first place. Simply hoping that one’s own company will not be affected is, however, an extremely bad strategy. Experts agree and the figures speak for themselves. Especially because the probability of a crisis is increasing with each passing year. The risk of becoming a victim of an extortionist attack (ransomware attack) alone grew by 47 percent in Q2 2021, according to threat intelligence expert Digital Shadows.
According to the FBI, it monitors 100 dangerous extortion rings. The percentage of companies affected by a cyber-attack at least once was 61 percent in 2021, according to the Business Continuity Institute’s Cyber Resilience Report. Likewise, the risk of companies being surprised by unexpected crises in the future and having to cope with multiple events at the same time at times is increasing. As rightly said by Gerhard Saumwald, a well-known Austrian crisis expert: “The most important crisis scenario is the one you don’t expect”.
In many companies, what I call ‘insurance thinking’ still prevails. People only prepare for probable risks and shy away from the costs of insuring against improbable risks. But the completely unexpected will happen more often in the future.
Dealing with risks – starting points for reducing crisis costs are essentially in four areas:
Early detection and prevention: Prevention measures begin with monitoring and detection. Whether it is monitoring changing risk factors, analysing impact, keeping software updated or establishing a permanent crisis management team – prevention measures can be very diverse and wide ranging depending on the company. The important thing is – you don’t stop at identifying prevention opportunities but more importantly follow them closely on a regular basis and track possible changes. It is equally important to update your BCM strategies on the basis of these changes to stay prepared for even improbable crisis or emergency scenarios.
When it comes to cyber incidents, the top ten cost-cutting factors include: Business continuity planning, management involvement, staff training and the establishment of incident and crisis management teams.
Understanding established processes and the crisis management ‘manual’: If you know what to do in the event of a crisis, who is responsible for what and how to reach them, you have two significant crisis cost factors much better under control: Time and reputation. The time saved pays off threefold: At the beginning, especially during the alerting of staff and mobilisation of teams, during a crisis and also in the follow-up for example in the preparation of reports for authorities.
The value of reputation is often underestimated in the context of crisis. It is usually not the crisis itself that shakes the confidence of customers, business partners and authorities, but the poor handling of the situation. Public sentiment grows to doubt the company operations leading to questions like – are the other areas in the company also as badly handled as crisis management?
Well-founded training: Those who have played out possible crisis scenarios under realistic conditions, established structures and communication channels, and have the necessary tools and materials at hand and know how to use them are more effective and in turn save valuable time.
Companies with tested incident response manuals and a well-trained incident response team (IRT) cost about 50% less to deal with a data breach than companies without a trained team.
Act quickly: Speed is key in any crisis scenario`. The quicker you can react and limit or end the crisis, the lower the costs. The shorter the crisis lifecycle (the time that elapses until an attack is detected and fully resolved), the lower the costs. The basic prerequisite for quick action is, in turn, fast, targeted communication and close cooperation across location and departmental boundaries.
Professional SaaS solutions in particular support this, as the BCI Emergency Communications Report 2021 once again confirms. 52% of companies that use such solutions manage to activate their emergency plans within five minutes. For companies that work without a tool, the figure is only 21%. At the same time, the systems enable more effective collaboration through tools for virtual collaboration across departmental and site boundaries.
According to calculations by the Ponemon Institute, the costs of data attacks increase on average by around 29.7% if the crisis lifecycle lasts longer than 200 days.
Part three: The smart way out – invest to save
Professional incident and crisis management solutions address all the factors discussed in Part 2: prevention, processes, training, speed. They thus create the best conditions for crises – even when they occur – to cause less damage. This is because they help to shorten crisis life cycles, reduce the damage level and intensity of a crisis situation, manage incidents professionally and strengthen reputation and customer loyalty through good and fast communication.
But is the investment in crisis management worth it? Of course, a precise calculation of RoI is not easy to make here, because crises are by definition dynamic, complex and dependent on many factors. So are the costs. But if we take the data from the Ponemon study, which looks at the costs of “normal” data breaches, as a basis, we can take a closer look at what positive financial effect incident and crisis management can have.
In the “Data Breach Cost Report 2022”, the Ponemon Institute calculated that a single data breach – i.e. a typical cyber incident that can occur at any time and does not necessarily have to be a real crisis – costs large companies an average of 4.35 million USD in 2022 – an all-time high (2.6% increase over last year).
And the trend is rising. Mega data breaches, i.e. “real” data crises with more than 50 million compromised data records, even cost an average of 401 million USD. This makes it almost 100 times more costly than smaller data breaches with less than 100,000 affected records.
Return on Investment: At what point does the investment in professional crisis management pay off?
The interesting figure in the study for our question: In companies with professional incident response, the costs per incident were reduced by an average of at least about 50%.
Converted, this means: Professional Incident Response in 2022 has already saved companies an average of 2.66 million USD in the management of small to medium data incidents. Following the trend for the last couple of years, the savings for companies with an IR team or plan continue to grow for this year.
Even if we assume, for the sake of comparison, that incident response only has half the effect – 25% cost savings instead of the roughly 50% calculated in the study – this results in savings of minimum 1 million USD for well-prepared companies of all sizes – per incident, mind you. So, what we can safely conclude is this: Good preparation already pays off for smaller incidents in the form of significant monetary savings. In the case of a major data crisis, which costs an average of 401 million USD – almost 100 times that amount – in costs, the effect of good crisis management can then amount to several hundred million dollars in potential savings.
This is due, on the one hand, to an increasingly complex environment and, on the other, to the fact that systemic crises, such as a pandemic, attacks on critical infrastructure or the disruption of global supply chains, extend over a longer period of time and can have far-reaching domino effects. The effects of the closure of the Chinese commercial port of Yantian at the beginning of the COVID-19 crisis or the week-long blockade of the Suez Canal are still being felt months later.
One can therefore assume that the return on investment for good crisis management with a professional system and a well-trained team is much faster. Especially in the case of multiple crises.
Here, companies can save costs in the millions in every type of emergency, probable and improbable crises, whether fire, natural disaster, business interruption or cyber-attack. But, the biggest gain may not be expressed in numbers at all: The good feeling of being able to act in any situation – fast, quick-witted, customer-oriented.
By Markus Epner – Head of Academy at F24 AG
Markus joined F24 AG in 2022. He worked in several positions in different security and crisis teams, was one of the first officers in the Kommando Spezialkräfte and his experience from the Bosnian and Kosovo wars as well as his many years of leadership experience in industry give him confidence when acting in critical events.
Markus studied Security and Crisis Management in Kiel and has more than 20 years of experience in security and crisis management with Lufthansa and Boehringer Ingelheim. During his time in the industry, he has managed the evacuation of two crews out of Mumbai during the terror attacks and the COVID-19 crisis during his time in the pharmaceutical industry.