One overlooked issue in cyber: growing economic losses

Two recent business interruption (BI) breaches involving US-listed Microchip Technology and US oil and gas services firm Halliburton are not generating the same headlines as the CrowdStrike-related disruptions or even the large-scale breach involving Change Healthcare. But BI incidents like this are causing economic losses for shareholders, and it’s becoming so common that the press barely picks up on it.

 

In the case of Halliburton, the company shut down some of its internal systems, similar to the incident response actions taken by CDK Global in June and Change Healthcare in February. While deemed necessary to prevent further damage, these actions also disrupt business operations that in turn result in financial losses like lost revenue and reduced cashflows. These losses almost always far surpass the costs associated with the response and recovery following the breach itself.

 

Consider this: Following the large BI event impacting Clorox last year, the company disclosed in its annual report hundreds of millions in economic losses. In June of 2024, nearly one year removed from the attack, it announced that it would restart the overhaul of its ERP system in 2025, a centerpiece of its digital transformation plan. The delays caused by the breach to the company’s cloud-based platform transformation process cost an additional $60-$80 million on top of the hundreds of millions in economic losses.

 

There is no insurance recovery for this sort of loss, let alone the hundreds of millions in financial losses resulting from the six-week-long disruption to its operations.

 

Increased reliance on technology = Increased risk of economic loss

 

Halliburton, like all major companies, has invested heavily in digitizing its operations in recent years. This has included areas of its business like the supply chain and new platforms aimed at helping large oil and gas customers such as Petrobras migrate their own operations to the cloud through the iEnergy Hybrid CloudThe downside of this digital transformation means the company has greater economic loss risk due to cyber than it did even five years ago.

 

In the case of Microchip Technology, the financial losses could prove to be greater. According to the SEC 8-K filing, “certain of the company’s manufacturing facilities are operating at less than normal levels, and the company’s ability to fulfill orders is currently impacted.”

 

If we’ve learned anything over the past few years about BI events it’s that multi-day disruptions to product and service delivery get very expensive quickly. Clorox provides a useful case study for understanding how these BI events are increasingly creating such large losses for the company and shareholders.

 

With Clorox, systems disruptions led to order processing delays and product outages that resulted in a negative impact on net sales and earnings.  To understand why this attack was so disruptive to operations and economically costly, one can look at the details of the company’s digital transformation effort.

 

In 2021, Clorox announced a $500 million plan to accelerate digital transformation across the company. Kevin Jacobsen, the company’s Executive Vice President and CFO, outlined that the upgrading of its nearly 20-year-old ERP system would improve real-time data visibility and improved demand planning. Jacobsen said at the time, the five-year investment would “significantly increase the digital capabilities of the company…we fully expect to see increased revenues and increased cost savings opportunities.”

 

Pushed by an analyst at the time on how specifically the company would drive revenue and cost savings from its transformation process, Jacobsen cited the benefits of digitizing the supply chain. “With much greater access to data, we can do much better demand planning with real-time data and much better algorithm in terms of predicting demand. We can manage production capabilities at a much greater degree with the technology, inventory management, order fulfillment and all be enhanced through increased access to data, including our ability to do direct-to-consumer shipments.” He also cited ‘admin productivity opportunities’.

 

This investment follows earlier efforts to digitalize the supply chain, migrate its IT infrastructure to the cloud and expand E-commerce capabilities to better meet customers where they are.

 

But when digital transformation doesn’t work as intended, the opposite is also true. Costs increase and revenues fall. Business technology risk and these increasingly common and costly BI events are the downside of digitization.

 

Multibillion-Dollar loss for United Healthcare

 

Change Healthcare was itself a key part of United Healthcare’s digital transformation effort. Four reasons it cited for the acquisition in 2021 included: 1. Data analytics, 2. Administrative efficiency, 3. Improved connectivity and 4. Cost reductions. All hallmarks of digital transformation.

 

Similar to Clorox, the economic losses in the wake of the weeks long BI event for an increasingly digitized healthcare company were significant.

 

United Healthcare disclosed:

— For the three and six months ended June 30: $776 million and $1.4 billion of direct response costs

 

Optum Insight, a subsidiary of United Healthcare that acquired Change Healthcare, disclosed:

— For the three and six months ended June 30: $334 million and $613 million of business disruption impacts.

 

That equals combined losses over $3 billion. This doesn’t even touch the wider impact on the US healthcare system cited by the American Medical Association.

 

A much lower profile BI event in the healthcare sector involving Henry Shein in October 2023 cost the company between $350-$400 million and an estimated $120 million to $130 million hit to operating income.

 

BI events will only get more costly

 

As companies continue to double down on digital transformation, touching all aspects of business operations and supply chains, the economic cost of BI events will only continue to increase, resulting in larger losses for shareholders. What we’ve seen just in the last year with MGM, Clorox, Henry Shein, Change Healthcare, CDK Global [and the list goes on] will unfortunately continue.

 

Sources:

MGMClorox, Henry Schein, Johnson ControlsChange Healthcare.

 

 

What does this mean for CISOs and Risk Officers?

CFOs like Clorox’s Jacobsen have become accustomed to speaking to the market about strategic investments their companies are making in digital transformation. As the downside of this transformation becomes more costly and frequent, more CFOs will unfortunately become familiar with the need to report to shareholders about the negative material impact as well.

 

As this trend continues in the next 12 months, the economic loss risk from cyber (and plans to mitigate it) is something boards and CFOs will be asking CISOs and CROs more pointed questions about. For example, we expect this issue to get the attention of the leadership of Microchip and Halliburton over coming quarters as it did for Clorox, United Healthcare and others. For reasons we’ll explain in our next CyFi™ note, responses from CISOs and Risk Officers limited to additional security investment coupled with a standard cyber insurance program will not be sufficient for a growing number of companies.

 

recent cyber notes

July 22

Companies can better manage supply chain risk when the CRO and CISO work together

Recent supply chain-related breaches highlight need for a more proactive approach to managing the risk

July 29

Slowing US cyber insurance market prompts need to further invest in risk prevention

In 2023, direct written premium in the US rose by only 0.1% according to recent numbers reported by AM Best. Intangic explores how a deceleration in the speed of cyber market expansion points to the need for a new approach.