Not all damage can always be determined immediately, let alone the costs. This may be because the consequences will only become visible in the long run. In the event of reputational damage, you may receive structurally fewer orders or assignments after an incident. Below, you will find several points that you should keep in mind when determining your damage.
Which elements determine the costs of an incident?
You determine the damage in costs roughly across the following categories:
- Direct and indirect costs of an incident
- Direct and indirect costs of recovery
- This list is not exhaustive. In your sector, branch, or company, certain elements may not apply and other elements may cause additional damage and costs:
Direct costs of the incident:
- Costs you incur to inform your customers and suppliers;
- Loss of (production) hours for your company;
- Loss of turnover because your sales of products or services have come to a standstill;
- Costs for crisis management and disaster management.
Indirect costs of the incident:
- Reputational damage; customers and suppliers may move to another company because they have less confidence in your company;
- Costs you incur to speak to the press and other stakeholders;
- Fines from a supervisor or authority, for example a possible fine from the Dutch Data Protection Authority in the event of a data breach;
- Compensation that you have to pay because you cannot fulfil (contractual) obligations;
- Loss of competitively sensitive information for others to use, such as prices, contracts, and quotes.
Direct costs of recovery:
- Costs you incur for hiring specialists to make your environment available again;
- Cost of new software or hardware if needed for recovery;
- Time you invest in rebuilding the content of your systems and administration.
Indirect costs of recovery:
- Rebuilding your business reputation with customers, suppliers, and third parties;
- Employee training in the safe use of the restored or newly built environment.
Of course, it is difficult to determine the damage prior to an incident. Taking stock of your vulnerabilities is important. This gives you clear insight into which risks you run and which measures you need to take to control risks (in Dutch).