author photo
By Bruce Sussman
Mon | Aug 6, 2018 | 2:41 PM PDT

If your board of directors still wants to debate whether cyber risk is truly business risk, well, here's some more evidence for the "yes, it is" side of the argument.

The company that makes chips for Apple, Qualcomm, Nvidia, AMD, and others just got hit by malware, and the impact is significant.

Taiwan Semiconductor announced the malware outbreak that quickly spread through a number of its manufacturing fabs and the impact on the business:

"TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point."

If you do the math, that lost revenue in the third quarter alone is right around $250 million.

Yes, cyber risk is business risk.

The scariest part of this malware outbreak for business leaders

What's frightening is that the malware outbreak happened on Friday, August 3rd, and the company was back at 80% of its manufacturing capacity on August 5th, with a return to 100% forecast by the end of business on August 6th. 

So think how quickly the damages add up.

How the manufacturing malware outbreak occured

The Taiwan Semiconductor statement paints a picture of what went wrong and how the malware infection got its start, and raises a few questions at the same time:

"This virus outbreak occurred due to misoperation during the software installation process for a new tool, which caused a virus to spread once the tool was connected to the Company’s computer network. Data integrity and confidential information was not compromised. TSMC has taken actions to close this security gap and further strengthen security measures."

Building a modern cybersecurity risk program 

So what should organizations be building toward when it comes to the merging of cybersecurity and risk?

Demetrios "Laz" Lazarikos, former CISO at vArmour, Sears, and Silver Tail, put it this way during his keynote at a recent SecureWorld cybersecurity conference:

"A modern cybersecurity risk program must have board and executive level visibility, funding, and support. The modern cybersecurity program also includes reporting on multiple topics: understanding how threats impact revenues and the company brand, sales enablement, brand protection, IP protection, and understanding cyber risk."

Taiwan Semiconductor just learned first-hand about the impact of cyber risk on revenues.