Meeting Your Customers’ Cybersecurity Expectations

Achieving your customers’ expectations is one of the four major goals of your cyber risk management program. The other three are:

  • Being resilient to cyber-attacks and cyber failures
  • Being compliant with relevant laws and regulations
  • Becoming an unprofitable target by practicing great cyber hygiene

We’ll cover details of these three goals in later posts.

Customers Will Leave You if They Don’t Trust You

Businesses need the trust of their customers to remain viable.

One of the many negative consequences of a breach of confidential customer data is abnormal customer churn – just for violating their sacred trust.

To be clear, this loss of customers is above and beyond the normal churn that all businesses experience.

According to the “2016 Cost of Data Breach Study” conducted by the Ponemon institute, the rate of abnormal churn for financial firms can be as high as 6.2 percent.


“2016 Cost of Data Breach Study” conducted by the Ponemon Institute.

Trust is also a cultural phenomenon, so you can expect higher abnormal churn in France, Japan and Italy.


“2016 Cost of Data Breach Study” conducted by the Ponemon Institute.

Those three countries may be the most sensitive, but it turns out that lots of countries have measurable amounts of sensitivity to trust failures.

Customers are Trusting You with Private Data

Let’s review what trust means within the context of the three goals of Information Security:

  • First, confidentiality means you are protecting the information customers share with you, such as their personally identifiable information or confidential information of their customers, from being viewed by anyone without a need to know;
  • Second, integrity means that the information your customers share with you will not become corrupt before you make decisions based on it, or when they access it again, and that the data you share with them is reliable;
  • And availability means that the products and services you sell will be available whenever they’re needed, such as a bill payment portal or shipment tracking.

Your Failure Means Losses for Your Customers

In September 2010, a server failure forced Virgin Australia Airlines (formerly Virgin Blue) to resort to manual check-ins. This resulted in more than 100 canceled flights, affecting 100,000 passengers.

The airline itself lost over $20 million in revenue.

There were emotional and financial consequences for passengers who missed their flights. Some of them will stop flying with Virgin either temporarily or permanently, which is an example of abnormal churn.

What Customers Expect

Your company makes confidentiality, integrity, and availability promises to your customers in the contracts they sign with your organization.

Customers also count on your company to obey the laws and regulations related to information and cybersecurity. For some companies, knowing what you’ve promised to customers is easy to determine because you offer a standard contract to everyone, like a software company or mobile phone provider that sells to consumers.

For other companies, customer promises are negotiated on a deal-by-deal basis, such as a business selling highly customized services to another business.

To keep customer promises about information security, there are three specific activities your program needs to practice:

  • First, perform an initial review of all customer contracts. You might only need to review the major ones. Or you might only need to review the standard contracts whenever they change.
  • Once you know what promises you’re making to your customers, incorporate these requirements into your daily cybersecurity operations.
  • Finally, give prompt notification whenever you fail to meet these requirements.

Notify Your Customers About Security Failures

It probably seems risky and dangerous to tell your clients about security failures. It certainly feels that way. But it’s even riskier not to say anything if it happens.

If you violate your customer’s trust, eventually someone will find out. And when they do, you’ll have a much tougher problem on your hands!

Cyber Risk Opportunities helps middle market managers meet the cybersecurity expectations of their customers by prioritizing and reducing top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.