I was sitting in my office one snow day when the CEO decided to pop in. Talking about some of the cybersecurity events we’d been through recently, he commented:

“You know, cybersecurity is the one risk I have where I can park my car in the morning and have lost the company by the end of the day.”

I’ve often thought about that statement. It’s true on many levels. Obviously, a fire, earthquake damage, etc. will cause a lot of destruction, but it will be in a limited area. Governmental action can destroy a company, but it takes time to happen and generally has very limited effect.

However a cybersecurity event can close down the entire company within hours. Small outages can impact corporate operations in far-reaching ways. A minor firewall outage and you can’t open the magnetic locks on store doors across the northeast United States. Or a hardware glitch that closes down a major airport and causes all traffic to be re-routed, impacting global air traffic for days.

Those are non-malicious examples. Malicious activities can have dramatic, long-lasting consequences that destroy revenue and reputation. UnitedHealth Group, for example, continues to revise the costs from its 2024 breach upward. Including the costs of response efforts, system restoration and business interruption the company now estimates its losses at $2.87 billion. This amount does not include any potential losses from ongoing class action lawsuits against the company, which can be additional billions.

There really is no insurance coverage for this level of damage. Insurance, at best, covers a moderate cybersecurity issue. It doesn’t cover minor issues, because in those cases the covered costs are rarely cost more than the deductible. At the other end of the spectrum, insurance only rarely covers the cost of major events, as those costs can quickly outstrip the coverage. Insurance really helps with moderate cybersecurity events, and while it can be very useful in those situations companies need to recognize that insurance really only covers that category of cyber events. Acknowledging this, there is another, rarely discussed element of cybersecurity damage that is not covered at all by insurance, and this is what my CEO was really talking about. When he talked about “losing” the company, what he was talking about was losing the ability to direct the company affairs. What most people don’t realize is the effect that a cybersecurity event can have on corporate decision-making.

The key problem is that forensics is not really a science in the middle of an incident response effort. Unless the attack is completely clear, responses are guesses at best for a period of time. My rule of thumb is six months. Basically, when a breach happens you’ll soon hear a statement like “it was a nation-state actor using military grade malware.” Wait six months, and you’ll learn that key systems weren’t upgraded on time, or that the systems’ vital administrative credentials, which give a hacker full control of everything, were given to an intern who left them in a publicly available folder.

Essentially, for a period of time following a breach, there is tremendous uncertainty regarding the extent of the breach. As a result, the company doesn’t know how much of it cash on hand will be needed to address the fallout from the breach. Leaders become cautious about spending any money, especially on new initiatives (even initiatives that have already been approved but have not started can often be put on hold during this period). This can result in a slow-down of spending or an all-out freeze. Same for new hiring. Basically, everything with a cost element can go into a holding pattern until the extent of the loss is understood.

Also, the board of directors, who up to this point may have only been minimally involved in considering cybersecurity risks, can get very involved. It’s not unheard of for a board to demand weekly updates on the breach investigation and response. At the same time, until it is resolved the breach overshadows all decisions at quarterly board meetings.

Legal teams also get very involved in many more corporate decisions than previously. Depositions from class action lawsuits or actions brought by Attorney Generals necessarily impact the time and availability of key executives. Legal teams need to review all kinds of communications before they can be sent, both outside and inside the company.

Basically, everything slows down at the company, and the CEO has to stand by until the breach is resolved and he can lead the company forward again. What is worse is waiting on the sidelines while the competition moves forward, or having to pass on opportunities that won’t come around again. This was a key part of what my CEO meant when he talked about “losing” the company. He was talking about losing the ability to allocate resources moving the company toward his vision for it. Basically, the company would have to hold back, and at the same time watch the competition fly ahead. This is key to understanding the value of a cybersecurity team. The purpose of the cybersecurity team is to minimize the impact of Cybersecurity events on company operations.

Support the executives of the company leading the company, and don’t let it be sidetracked or slowed down by cybersecurity issues. This background need to be coupled with the concept that cybersecurity breaches will happen. Robert Mueller, when he was leading the FBI, famously said:

“There are two kinds of companies. Those who have been breached, and those who don’t know it yet.”