The legal industry finds itself in the upper echelons of companies when it comes to the fiscal impact of a cybercrime. However, many are ignoring this risk. According to the American Bar Association’s (ABA) 2015 Legal Technology Survey, about half of firms said they had no response plan in place to address a cybersecurity breach.
Furthermore, Cybersecurity Ventures predicts the costs associated with a cyberattack could balloon to $6 trillion globally by 2021. To put that in perspective, if cybercrime were a country, the number would represent the fourth highest Gross Domestic Product (GDP) in the world.
To better understand the costs associated with cybercrime it is helpful to group the expenses in two buckets, direct and indirect.
Direct costs are the money spent as a result of a breach. The 2016 Ponemon Cost of Data Breach study estimates about 34% of the costs associated with an attack are from direct costs. Examples of these costs include investigation, notification to those impacted, and potential litigation.
Investigation is commonly the first direct cost associated with a breach. A forensics expert is often hired to determine the size and scope of a breach — which can range from $10,000 to $100,000, according to Valorie O’Shoney of specialty insurance provider Beazley Group. The investigation can be more costly for small businesses because they often have fewer internal resources and less expertise.
Notification is typically the largest single direct cost, with an estimated cost of $200k, according to O’Shoney. This includes requisite activities such as creating contact databases, retaining outside experts, postal expenditures, and determining regulatory requirements. Currently, 46 states have specific requirements for the notification process, and certain industries are subject to additional regulations as well.
In terms of lawsuits or direct cash lost, the impact is typically isolated to the individual company. In April 2016, QBE—a UK based company that specializes in law firm insurance—reported that more than $120 million was stolen across the legal profession within an 18-month period as a result of data breaches.
While these millions of direct dollars stolen seem large, they are actually just a small fraction of the total cost.
Indirect costs are inherently more difficult to measure, because there is not a direct cash expense associated. These expenses consume 66 percent of the cost of a cyberattack, according to the 2016 Ponemon Cost of Data Breach study. Indirect costs include loss of reputation, loss of customers and website down time.
Loss of reputation is perhaps the most difficult to measure. It is common knowledge that firms with strong, positive reputations attract more business. They are perceived as providing more value, which often allows them to charge a premium. Their customers are typically more loyal and consume broader ranges of products and services. However, brand value may be a more accurate gauge to measure. It is estimated by the estimated by the Harvard Business Review that 70 to 80 percent of a business’s value comes from hard-to-assess intangible assets such as brand equity, intellectual capital, and goodwill. A hack or security breach can directly damages these assets, thus negatively impacting the value of a company.
In terms of customer loss, there are several studies in the marketplace defining the impact of a hack on an existing client file.
According to SiteLock data, two thirds of customers who have their information stolen from a website will no longer do business with the company operating the site. Furthermore, the 2016 Ponemon Cost of Data Breach Study determined hacked legal organizations witnessed a 5.1 percent customer churn rate, which made it the third highest industry impacted by lost customers following a data breach. For example, if a law firm has 20,000 customers, that would equate to a loss of 1,000 clients. If the average lifetime value of a client is 1,000, then the organization essentially lost $1 million.
To evaluate the impact of website downtime, the organization must determine the revenue their website generates daily, then multiply by the number of days their site is down.
While the cost of a cyberattack is potentially crippling, there are steps organizations can take to minimize the impact and reduce the risk for attack.
First, focus on timeliness. According to the Ponemon Cost of Data Breach report, the longer it takes to find and resolve a breach, the costlier it is for an organization. Breaches identified in fewer than 100 days cost companies an average of about $1 million less than those that take more than 100 days to be discovered.
Another step to help organizations minimize risk, is the implementation of both endpoint and website security solutions. Endpoint security is the firewall and virus protection installed on laptops, computers, phones and any other device accessing the company network. Website security is designed to protect websites and cloud-based properties from attacks. These protections include a web application firewall and website scanning solutions to monitor, protect and remediate websites.
The fiscal impact of cybercrime is growing at a rapid rate. To ensure the future feasibility of their company and protect the privacy of their clients, law firms need to take proactive steps to protect against cybercrime.