13.6 Financial Impact Assessment
Financial Impact Assessment
The technical investigation has established: the mailbox was compromised, the attacker monitored vendor threads, and a fraudulent payment diversion email was sent. This subsection determines the financial damage.
Step 1: Determine payment status
This is the question that determines urgency. Contact the finance team directly (phone, not email — the mailbox may still be compromised).
Questions for the finance team:
Was the £47,000 payment to the new (fraudulent) bank details processed? If yes: when was it processed? (Determines recovery window.) Was it a domestic or international transfer? (Affects recovery timeline and reporting requirements.) Has the payment cleared the company’s bank account? Has the finance team already contacted the bank?
Payment status decision tree:
Payment not yet processed → halt the payment immediately. Financial loss: £0. Investigation continues for forensic and hardening purposes.
Payment processed within the last 24 hours → contact the bank fraud team immediately. High probability of recovery via payment recall. Do not wait for investigation completion.
Payment processed 24-72 hours ago → contact the bank. Recovery possible but probability decreasing. Simultaneous law enforcement notification recommended.
Payment processed more than 72 hours ago → recovery unlikely. Contact the bank regardless (the receiving bank may be able to freeze the attacker’s account if funds remain). Law enforcement notification required.
Step 2: Check for additional fraudulent payments
The Meridian payment may not be the only one. The attacker had access for up to 3 weeks (if the inbox rule dates from the February compromise).
| |
What to examine: Did a.patel (or the attacker using a.patel’s account) send similar bank detail change requests to other vendors or internal colleagues? Each result needs investigation: was it sent by a.patel legitimately, or by the attacker?
Cross-reference with the finance system: Request a report of all vendor bank detail changes in the last 30 days. Compare against the email evidence. Any bank detail change that correlates with email from a non-corporate IP or during the attacker’s active period is suspect.
Step 3: Quantify the total financial exposure
| Item | Value |
|---|---|
| Meridian payment (attempted/sent) | £47,000 |
| Other fraudulent payments identified | £[amount from Step 2] |
| Total financial loss (confirmed) | £[actual loss] |
| Total financial exposure (potential) | £[all vendor payments processed during attacker access period] |
| Recovery status | [Pending / Partial / None] |
Compliance mapping: NIST CSF RS.AN-2 (The impact of the incident is understood). ISO 27001 A.5.25 (Assessment and decision on security events). Quantifying the financial impact is a regulatory requirement for incident reporting and, depending on amount, may trigger additional regulatory notifications.
UK-specific thresholds: If the financial loss exceeds £5,000 and involves fraud, Action Fraud (the UK’s national fraud reporting centre) should be notified. If personal data was accessed alongside the financial fraud, GDPR notification to the ICO within 72 hours may be required. Legal counsel should advise on reporting obligations.
Subsection artifact: The financial impact assessment table template and the additional payment discovery query. These feed directly into the IR report (subsection 13.11) financial impact section.
Knowledge check
Insurance and recovery considerations
Cyber insurance notification. If your organisation has cyber insurance, notify the insurer within the policy-specified timeframe (typically 48-72 hours of discovery). The insurer may: provide access to specialist incident response resources, cover the financial loss if the payment is not recovered, and assign a breach coach to advise on regulatory notification.
Bank recovery process. After the initial recall request, the bank’s fraud team initiates a process that may take days to weeks. Track the recovery status:
Recovery status: [Recall requested / Funds frozen / Partial recovery / Full recovery / Unrecoverable]
Date of recall request: _______________
Bank reference: _______________
Amount frozen (if any): _______________
Expected timeline for resolution: _______________
Cross-border complications. If the fraudulent bank account is in a different jurisdiction: recovery is slower (cross-border fund tracing requires cooperation between banks in different countries), the legal framework differs (not all jurisdictions have equivalent fraud recovery mechanisms), and the attacker may have already moved funds through multiple jurisdictions. For cross-border payments, engage legal counsel with international fraud experience immediately.
Accounting treatment. Work with the finance team to determine: how to record the pending recovery (contingent asset), whether to write off the loss (if recovery is unlikely), and the tax implications of the loss and potential recovery. This is not the SOC analyst’s responsibility — but the SOC analyst should ensure the finance team is aware of the recovery timeline and probability.
Try it yourself
Draft a financial impact assessment for the Northgate Engineering scenario: £47,000 payment to Meridian, sent 36 hours ago, domestic UK transfer. Include: payment status, recovery window assessment, bank contact status, law enforcement notification status, and total financial exposure (include other vendors if the attacker had broad reconnaissance access). Use the template from this subsection. This is the financial impact section of your IR report.
What you should produce
A one-page financial impact assessment with: primary payment (£47,000, sent 36 hours ago, recall requested), additional exposure (check for other vendor bank detail changes), recovery probability (moderate — within the 72-hour window but not guaranteed), and action items (bank fraud team engaged, Action Fraud notified, vendor contacted).
Check your understanding
1. The £47,000 payment was processed 36 hours ago. What is your immediate action?