‘Money, Reputation, Customers’: What does a crisis actually cost?

Concrete cost-benefit considerations are often difficult to calculate due to a lack of empirical values and reliable figures. Hence, it’s necessary to dive deep into the topic to explore what needs to be considered when deciding whether an investment is worthwhile.

On that basis, let’s explore the questions of what costs a crisis incurs, how to save costs through effective crisis management and also how to approach a cost-benefit calculation.

Money, reputation, customers: what does a crisis actually cost?

A crisis is defined as an exceptional, unstable situation that threatens a company’s strategic goals, reputation or even its very existence. Such exceptional situations are difficult to measure in every respect and especially in monetary terms. Even the smallest incidents have the potential to cost a high price. In the end, it’s how well a crisis is managed that determines its expense. To understand a cost estimate, you need to look at where and how the costs arise in the first place.

Supply chain disruptions, tanker accidents, extreme weather events. Business crises cost companies heavily, whether in terms of time, money or reputation. Cyber incidents, in particular, pose persistent threats to businesses across the world. According to the Allianz Risk Barometer 2022, cyber attacks are the biggest concern for companies, followed by business interruptions and natural disasters. Rightly so, as well, if you look at some recent examples.

Cyber extortionists demanded a ransom of US$2.3 billion from the pipeline operator Colonial in May 2021. Shortly before that, Acer was confronted with a ransom demand of US$50 million for hijacked data. Pharmaceutical company Merck demanded around US$1.4 billion from its insurance company after a cyber attack featuring the Not Petya computer. These are not exceptional cases. but rather a few among many.

Recurring patterns show how cyber crimes can threaten companies existentially. The increasing number of cases and the ever-rising amounts of damages are also leading to an upsurge in the costs of cyber insurance. In most cases, the insurance policies of insurers no longer cover ransom payments.

Even if we exclude cyber crimes, data losses can happen due to accidents and even escalate to bigger crises. In March last year, for instance, four Data Centres at Europe’s largest cloud provider, namely OHV Cloud, failed due to a major fire. In the wake of this episode, many corporate customers were shocked to discover that they had no back-up of their data.

Direct, indirect, little room for negotiation: cost points of a crisis

It’s safe to infer that money is lost in every crisis situation – regardless of its specific nature – due to three simultaneous mechanisms of action.

First, there are ‘direct’ costs for coping with the situation. These range from recognition of the problem to facilitating the return to ‘normal operations’.

In addition, there are ‘indirect costs’ because, for example, planned revenues are lost due to business interruptions or the order volume can temporarily decrease due to loss of reputation.

A third aspect is the possibility of procuring external expertise or material for crisis management. This last part is often carried out under time pressure and thus turns out to be more expensive. Due to the pressure of the situation, decisions are often made on the spot and additional investments are less scrutinised. Thus, additional costs above the usual market conditions need to be factored into the equation. An extreme example of this would be the procurement of masks at the beginning of the COVID-19 pandemic, some of which had to be bought at way above the usual market price.

From discovery to recovery: the cost factors of a cyber incident

The extent and frequency of cyber incidents are better documented than for most other crisis scenarios (most often due to its legal reporting requirements). Let’s look at the costs of a cyber attack. The Ponemon Institute (in its report on the ‘Cost of a Data Breach 2021’) puts the average total cost of a cyber incident at US$4.62 million. In the case of a ‘mega breach’ (ie a very large data breach with over 50 million data records impacted), the costs increase by a factor of almost 100 to US$401 million.

There are essentially four cost drivers. In terms of problems in identification and escalation, in the case of a cyber attack these include forensic and investigative activities, assessment and audit services, crisis management and internal crisis communication.

In the case of online crime, business loss can include losses due to business interruptions and lost revenue due to system downtime, but also costs for lost customers and the acquisition of new customers, as well as reputational losses or reduced goodwill.What about crisis communications? Notifying affected parties through various channels, exchanging information with supervisory authorities or even hiring external experts will realise costs being incurred.Then there are recovery costs. In cyber crime incidents, there are costs involved in setting up a Help Desk, monitoring affected accounts or identities, issuing new accounts or credit cards, legal costs, product rebates or regulatory fines.

Hope is not a strategy: how incident and crisis management pays off

“There is no glory in prevention”

Crisis managers knew this long before it became a media experience for virologists and epidemiologists in the COVID-19 crisis. Crisis managers rarely receive any credit for the fact that nothing or little happens when a crisis is well prevented. It’s simply difficult to grasp what could be gained by preventing or mitigating a crisis. On the contrary, the prevention paradox even leads to underestimating the danger in the future through good prevention. After all, (almost) nothing happened. Good prevention saves costs. How, where and when prevention pays off is the subject matter for discussion here.

Of course, the greatest cost savings are made when a crisis does not occur in the first place. Simply hoping that one’s own company will not be affected is, however, an extremely bad strategy. Experts agree and the figures speak for themselves, notably so because the probability of a crisis is increasing with each passing year. The risk of becoming a victim of an extortionist attack (ie ransomware attack) alone grew by 47% in Q2 2021. That’s according to threat intelligence expert Digital Shadows.

For its part, the FBI monitors 100 dangerous extortion rings. The percentage of companies affected by a cyber attack at least once was 61% in 2021, suggests the Business Continuity Institute’s Cyber Resilience Report. Likewise, the risk of companies being surprised by unexpected crises in the future and having to cope with multiple events at the same time is increasing. As Gerhard Saumwald (a well-known Austrian crisis expert) has stated: “The most important crisis scenario is the one you don’t expect.”

In many companies, what I call ‘insurance thinking’ still prevails. People only prepare for probable risks and shy away from the costs of insuring against improbable risks. However, the completely unexpected will happen more often in the future.

Dealing with risks: stay well prepared for four key areas

The starting points for reducing crisis costs are essentially in four areas. The first of them is early detection and prevention. Prevention measures begin with monitoring and detection. Whether it’s monitoring changing risk factors, analysing impact, keeping software updated or establishing a permanent crisis management team, prevention measures can be very diverse and wide-ranging depending on the company under the microscope.

The important thing is that you don’t stop at identifying prevention opportunities, but rather follow them closely on a regular basis and track possible changes. It’s equally important to update your business continuity management strategies on the basis of these changes to stay prepared for even improbable crisis or emergency scenarios.

When it comes to cyber incidents, the Top 10 cost-cutting factors include business continuity planning, management involvement, staff training and the establishment of incident and crisis management teams.

The second area of focus is understanding established processes and the crisis management ‘manual’. If you know what to do in the event of a crisis, who is responsible for what and how to reach them, you have two significant crisis cost factors (ie time and reputation) under far better control. The time saved pays off threefold: at the beginning, especially during the alerting of staff and mobilisation of teams, during a crisis and also in the follow-up (for example, in the preparation of reports for the authorities).

The value of reputation is often underestimated in the context of a crisis. It’s usually not the crisis itself that shakes the confidence of customers, business partners and authorities, but the poor handling of the situation. Public sentiment grows when it comes to doubting the company’s operations, in turn leading to questions like: ‘Are the other areas in the company also as badly handled as crisis management?’

Training in place

Third, let’s examine well-founded training. Those who have played out possible crisis scenarios under realistic conditions, established structures and communication channels, and have the necessary tools and materials at hand and know how to use them, are more effective and, in turn, save valuable time. 

It costs those companies with tested incident response manuals and a well-trained incident response team cost about 50% less to deal with a data breach than it does for those companies without a trained team.

Last, but not least, it’s all about acting quickly. Speed is key in any crisis scenario. The quicker you can react and limit or otherwise end the crisis, the lower the costs. The shorter the crisis lifecycle (ie the time that elapses until an attack is detected and fully resolved), the lower the costs.

The basic prerequisite for quick action is, in turn, fast and targeted communication and close co-operation across location and departmental boundaries. Professional SaaS solutions in particular support this. The Business Continuity Institute’s Emergency Communications Report 2021 confirms that 52% of companies using such solutions manage to activate their emergency plans within five minutes. For companies that work without professional solutions, the figure is only 21%. At the same time, the systems enable more effective collaboration through tools for virtual collaboration across departmental and site boundaries.

According to calculations made by The Ponemon Institute, the cost of data attacks increases, on average, by around 29.7% if the crisis lifecycle lasts longer than 200 days.

The smart way out: invest to save

Professional incident and crisis management solutions address all the factors discussed earlier (ie processes, training and speed). They create the best conditions for crises – even when they occur – to cause less damage. This is because they help to shorten crisis lifecycles, reduce the damage level and intensity of a crisis situation, manage incidents professionally and strengthen reputation and customer loyalty through good and fast communication.

Coming back to the title of this article, then, is the investment in crisis management worth it? Of course, a precise calculation of RoI is not easy to make here. Crises are, by definition, dynamic and complex in nature and dependent on many factors. So are the attendant costs.

If we take the data from The Ponemon Institute study (which looks at the costs of ‘normal’ data breaches) as a base point, we can take a closer look at what positive financial effects incident and crisis management can really exert.

In the ‘Data Breach Cost Report 2022’, The Ponemon Institute calculated that a single data breach (ie a typical cyber incident that can occur at any time and does not necessarily have to be a real crisis) cost large companies an average of US$4.35 million in 2022. That’s an all-time high (and a 2.6% increase over last year). The trend is rising. As previously stated, mega data breaches (ie real data crises with more than 50 million compromised data records involved) cost an average of US$401 million. This makes it almost 100 times more costly than smaller data breaches with less than 100,000 affected records.

When is the pay-off?

At what point does the investment in professional crisis management pay off, then? In companies with professional incident response, the costs per incident are reduced by an average of at least circa 50%.

In 2022, professional incident response has already saved companies an average of US$2.66 million when it comes to the management of small-to-medium scale data incidents. Following the trend for the last couple of years, the savings for companies with an incident response team or plan continue to grow for this year. Even if we assume for the sake of comparison that incident response only has half the effect (ie 25% cost savings instead of the roughly 50% calculated in the study), this results in savings of a minimum of US$1 million for well-prepared companies of all sizes (per incident, mind you).

So, what we can safely conclude is this: good preparation already pays off for smaller incidents in the form of significant monetary savings. In the case of a major data crisis, the effect of good crisis management can then amount to several hundred million dollars in potential savings.

This is due, on the one hand, to an increasingly complex environment and, on the other, to the fact that systemic crisis events (such as a pandemic, attacks on critical infrastructure or the disruption of global supply chains) extend over a longer period of time and can have far-reaching ‘domino’ effects. The effects of the closure of the Chinese commercial port of Yantian at the beginning of the COVID-19 crisis or the weeks-long blockade of the Suez Canal due to the Evergiven’s transverse position are still being felt.

One can therefore assume that the return on investment for good crisis management with a professional system and a well-trained team is much faster, and notably so in the case of multiple crises. Here, companies can save costs in the millions in every type of emergency, in probable and improbable crises, whether related to fire, natural disaster, business interruption or cyber attack.

The biggest gain may not be expressed in numbers at all. It’s simply the good feeling imbued by being able to act in a fast, quick-witted and customer-oriented fashion when any given situation arises.

Markus Epner is Head of Academy at F24 (www.f24.com)