“Lose money and I will forgive you. Lose even a shred of reputation and I will be ruthless. …Wealth can always be recreated, but reputation takes a lifetime to build and often only a moment to destroy.”

Warren Buffet

There is widespread acknowledgement that corporate reputation has significant value.  Calculating that value with any precision is a bit more dicey. Many have attempted to quantify reputational value, and estimates vary from 20 percent on the low end to 70 percent to 80 percent on the high end. One can accept that there is value, and the value represents an asset that must be protected, and ideally, enhanced. An article in the Harvard Business Review sought to assess reputational risk.  It posited there were three determinants of reputational risk, saying “Three things determine the extent to which a company is exposed to reputational risk. The first is whether its reputation exceeds its true character. The second is how much external beliefs and expectations change, which can widen or (less likely) narrow this gap. The third is the quality of internal coordination, which also can affect the gap.”

Today I want to focus on the second of those determinants. A recent article by Dan Kiely in Entrepreneur looked at how reputation of smaller firms can be adversely affected by cyber breaches.  “…don’t be fooled into thinking that you have to be a Fortune 500 corporation to be a target. Cybercrime is an equal opportunity menace. Larger mature companies are hit most often, but smaller scale-ups are hit the hardest, and it takes longer for them to recover. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. In today’s digital economy, winning and maintaining the trust of your customers is central to business growth, and nothing erodes trust quite like a cyber breach.”

The many people who have a trust relationship with a business, customers, clients, shareholders, investors, employees alike, expect that certain standards will be met with regard to cybersecurity. They do not expect perfection, and may even have some tolerance for breaches, if the business can show that it has engaged in a rigorous process to defend itself against being breached, and communicates effectively before, during and after a breach. However, if analysis of the breach exposes unexpected shortcomings in preparation and/or response, beliefs and expectations about the company will change for the worse, and reputation will suffer.

Heed Warren Buffet’s words, protect your reputation.

By Tom Davis, SDI Cyber Risk Practice

November 21, 2017