author photo
By Bruce Sussman
Thu | Jul 25, 2019 | 8:06 AM PDT

Looking for another way to explain cyber risk to your organization's leadership?

The new quarterly earnings statement from Equifax just gave you something to use.

And it is something most business leaders hate: uncertainty.

Equifax: $1 billion cyber incident cost is just the start

No business leader wants an Equifax type breach, or the associated legal costs, on its hands. The Q2 2019 earnings statement starts by explaining what is known so far about these costs.

"Since the announcement of the cybersecurity incident in September 2017, we have incurred a total of $1,444.8 million of costs related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and government investigations related to the 2017 cybersecurity incident."

$1.4 billion is a lot of cash, for sure. But your leadership may view this number as an extreme example or some sort of outlier that doesn't apply.

However, the report's section on uncertainty applies to any organization. 

Equifax breach ongoing impact: years of uncertainty ahead

What could really paint a picture for your business leaders is what is ahead for Equifax as a result of its data breach. The company faces years of uncertainty that could impact earnings. Read this section:

"... it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors, such as the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.

The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the Company's consolidated financial condition, results of operations, or cash flows in future periods."

How to use this information for cybersecurity buy-in 

I can still hear the words of JPMorgan Chase CISO Jason Witty ringing in my ears.

We were at a SecureWorld conference, having a conversation about communicating cyber risk to the business. 

"You've got to be really, really good at the translation of whatever that technical thing is to a risk, that a board member could understand, or the CEO could understand," Witty told me.

'It's just like any other business risk. Here's the probability of this risk happening, here's the impact if it did.'

Context and implications are the two most important words."

And in the case of uncertainty, it does not matter that Equifax has billions in revenue and your company does not.

You could try something along these lines, as you wrap up your board presentation on the implications:

"This is why I'm asking for funding now for this cybersecurity initiative. It will reduce the risk of our organization facing years of legal and regulatory uncertainty. Our costs would likely be much different than Equifax has experienced. But the legal and regulatory impact Equifax is experiencing? That could be our fate, as well."

This is not about peddling fear. Instead, it's about the context and the implications of what is possible at any organization. 

Please let us know if you have a good idea on painting a cyber risk picture to your CEO or board of directors.