In recent months, Beazley Breach Response (BBR) Services has seen the number of reported ransomware incidents climb again. The varieties of ransomware and the differing technical abilities of the criminals make effective response especially challenging. Breach response services, such as forensics and legal counsel, are often necessary in ransomware...
Do You Know What Your Company's Data Is Worth?
Accurately measuring enterprise value (EV) has never been more important or challenging. Even more so because firms are confronted by growing volumes of data, and the stakes implied in misinterpreting the value of that data have risen to new heights.
Data is no longer the domain of tech companies or IT departments - it is fast becoming a centerpiece of corporate value creation more generally. Today most organizations are data-driven to one degree or another. Data contributes not only to brand equity, but to what constitutes product and service delivery in globally connected and hyper-competitive markets. Failure to accurately quantify the enterprise value of data (EvD) may therefore woefully undervalue the importance of cyber-security investments, as well as the face values typically applied to cyber insurance policies.
Definitions for what constitutes EvD, and methodologies to calculate its value, remain in their infancy. The closest proxy for EvD is to look at a firm's intangible value, however, this will still fall short of fully estimating the value and therefore the risk inherent in data-laden enterprises. Many attempts to do so have proven to be flawed - even for some of the largest and best known firms in the world.
For example, at the end of its 2015 fiscal year, Apple's balance sheet stated tangible assets of $290 billion as a contribution to its annual revenues, with approximately$141 billion worth of intangible assets - a combination of intellectual capital, brand equity, and (investor and consumer) goodwill. Using the same formula, Apple's intangible assets in 2014 were $280 billion - or almost twice the value of its 2015 calculation. By its own estimation, Apple had lost 50% of its intangible value over the previous 12 months, revealing the limits of using a simple intangible value calculation.
The challenge is to quantify the precise value of data to a firm so that economic value can be ascribed to this asset class over time. This means determining not only what EvD means today, but what it will mean for the firm in the future. In the same way that banks must constantly balance assets and liabilities, data-laden firms need to move from cyber-defense and fire-fighting toward more proactive management of what could prove to be their most important asset.
This becomes particularly important in the context of cyber-crime and the alarming rise of business models being held for ransom or political gain. In 2015, Lloyd's (the world's specialist insurance market) estimated that cyber-attacks cost businesses as much as $400 billion per year, which includes direct damage plus post-attack disruption to the normal course of business. Between 2013 and 2015 cyber-crime costs quadrupled, with the reported incidence rate growing exponentially. Such costs are expected to quadruple again by 2019, to in excess of $2 trillion.
These costs - and the risks to the broader economy - are high enough that we expect the inclusion of EvD to soon become a requirement in corporate accounting. An example of this are new EU Regulations focused on identifying systemically important data institutions (SIDIs) - an implicit recognition of the growing importance of data valuation to firms and nations alike.
To analyze EvD, determining the relative importance of data to an enterprise's balance sheet, its ability to effectively compete, and its operational capabilities is a good place to start. This can be achieved not only by placing a dollar value on specific transactions, operations and divisions of a firm, but by imagining how that value may grow over time. In order to establish a basic EvD estimation, firms can work backwards from a total shutdown scenario, where systems and therefore the ability to use data are no longer functional. Using activity based costing approaches to calculate the direct and indirect costs associated with a shutdown over time begins to paint a rudimentary picture of EvD and therefore enterprise value at risk.
For instance, recall the global system-wide outage that struck Delta Airlines in August, 2016 resulting in the unprecedented grounding of all flights. While most firms associate the consequential costs of these types of events as their risk, EvD is a subtler figure, which is revealed in persistent loss scenarios. Had the Delta ground stop lasted for a week, the burn rate would go well beyond refunds, travel vouchers, and other costs and begin eroding EvD.
Meaningfully defining EvD will help ensure that corporate accounting and risk management standards take into account present day realities. It would also enable organizations to be more agile in era of man-made risk (making them more resilient), and would put firms that are not specifically-data-oriented on an operational equilibrium with those that are. Placing a real dollar amount on what data is worth will help any firm be proactive in managing the risk around this important asset.
Read more: https://hbr.org/2016/09/do-you-know-what-your-companys-data-is-worth
Latest posts in our blog
Read what's new this week
Recently, the French Data Protection Authority (the "CNIL") published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation's ("GDPR") entry into application. View the review (in French).
CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.