By now, we all know that cyberattacks are increasing globally, both in quantity and cost. Recent research found that the number of attacks grew by 30% in Q2 2024, with education, government, and healthcare as the most targeted industries. The cost of cyberattacks also continues to grow, with the global average at $4.88 million in 2024—a 10% increase over 2023.
The substantial cost of a data breach can include expenses such as legal fees, increased investment in cybersecurity, and federal and state regulatory penalties. Often, however, these costs do not reflect one of the most significant financial implications of a cyberattack: how it affects the reputational damage of a company.
How Does a Cyberattack Affect a Company’s Reputation?
We have seen that a significant cyber incident has the power to dramatically change the way customers, employees, and the market think about that company.
A major cyberattack can erode trust, which can lead to churn and a drop in value. This problem can be exacerbated by extensive negative media coverage, which may continue because of regulatory penalties, lawsuits, and settlements. Customers may decide to leave and stock value can plummet as a result.
On another level, a major cyber incident also can lead to an internal loss of trust. This can negatively affect employee morale and talent retention and may cause workers to doubt their leadership’s ability to manage crises.
How Does Reputational Damage Affect a Company’s Value?
Whether a company is affected by reputational damage often depends upon its industry. Retail customers typically remain loyal, even after a cyber incident; however, technology companies and sectors like banking and healthcare, where trust is important, can be particularly susceptible to reputational damage. For example, when cybersecurity provider Okta was breached in October 2023, its market valuation dropped $2 billion in a matter of days. Similarly, after CrowdStrike experienced a widespread IT outage in July 2024, shares plummeted 39.5% (although their stock value recently rebounded).
To make matters worse, the potential cost of reputation loss is seldom considered when companies purchase cybersecurity insurance. It’s not uncommon for businesses to underestimate the true cost of a breach, and thus they have inadequate cyber insurance to fully cover losses following a cyber incident.
Even if they do plan for more coverage, however, the loss resulting from reputational damage is often difficult to prove, and it is thus very challenging to claim. A drop in stock price, for example, could be attributed to unusual market fluctuations or corporate mismanagement. Unless there is a clear way to establish a connection between a cyberattack and financial loss due to reputational damage, companies cannot realistically depend on cyber insurance to cover such hidden losses.
The Realistic Approach to Post-Breach Reputational Damage
When CYE calculates the potential cost of a breach for our customers, loss of reputation typically amounts to 60% of expected breach costs for companies with more than $5 billion in annual revenue. This calculation is based on extensive data gathered from previous breaches and is essential for understanding the true risk that organizations face.
How to Minimize Reputational Damage
There are some tried-and-true ways for companies to minimize reputational damage following a cyber incident. The first hours are critical and acting quickly can often help to limit damage. Transparency is key, as is issuing a prompt public apology and accepting responsibility. Having a clear plan in place is essential, and should include designated team members who are responsible for communication and PR.
Yet perhaps one of the most important ways to prepare for such an incident is to adjust the mindset of losses resulting from a cyber incident: The reality is that cyber insurance usually will not cover all the expenses resulting from a breach. Therefore, the realistic solution is for companies to mitigate risk first and then transfer the remaining risk to cyber insurance. While insurance is another layer of protection, it definitely does not replace mitigation.
How to Effectively Mitigate Cyber Risk
At CYE, we’ve developed an advanced, data-driven approach. With the help of our cyber risk quantification solution, Hyver, we present the security gaps of an organization in an attack graph, which is later analyzed using AI and machine learning to suggest an optimized way to prioritize mitigation. The attack graph depicts how an attacker might gain access to an organization and reach its critical assets, as well as how much such a breach might cost the company.
Hyver prioritizes mitigation that reduces the greatest cyber risks to the organization, which directly results in decreased probability of attack routes being exploited. By focusing on the riskiest paths first, it becomes more difficult for attackers to access the organization. This causes malicious actors to spend more effort and resources on the attack and encourages them to move on to easier targets.
Want to learn more about how to outsmart hackers? Download our guide.
