We all know what happens when a traditional, brick and mortar business can’t open or operate for a length of time – lost customers, lost sales…the works. But what happens when that business is online and can’t function due to a cyber attack? The short answer to that question is…“it depends.”
There are two basic types of businesses online – retail sites and subscription sites. Retail sites, like a storefront, operate on a single sale model. Subscription sites operate on monthly or annual subscriptions for on demand services – most often streaming music, movies, etc. These types of businesses don’t have store hours, nor do they rely on customers being able to walk through the door. Online retailers and subscription based businesses are expected to be accessible and available 24 hours a day, seven days a week, 365 days a year. Have you ever placed an online order for that necessary item at 11:47pm? Of course…
When an online retailer is “closed” due to a cyber attack or other interruption event, customers have the ability to find the same product, likely at the same price, on a different website in almost seconds. Alternatively, they may wait for the website to be functional again and complete their purchase at a later date. For these types of businesses, it can be complicated to differentiate lost sales from delayed sales when calculating lost revenue. A business may have experienced a real business interruption through a cyber breach but not experienced any change in their revenue streams.
Subscription services can be a bit different. How many people would cancel a subscription to an online video or music streaming service due to an interruption event? And what’s the value of the lost revenue associated with the cancelled service. Again, it depends. Is it a continuous issue, or are service failures frequent? Another interruption to an already fragmented service? Are consumer alternatives readily available? How willing are people to switch service providers? If it is an isolated incident, or even the second or third instance, people are unlikely to make the switch. However, they may want a credit or partial refund of the monthly subscription fee for the time the service was unavailable. Refund costs could be significant, especially given the potential number of people affected.
For both of these business models, costs are likely to be incurred to investigate the issue, manage messaging and remediate the issue. These costs could quickly result in a large scale financial loss, depending on the nature and duration of the attack, and how complex and widespread it was.
Ultimately, the total financial impact on such service providers will be dictated by the consumer reaction. And that reaction really depends.