28% of 'extreme' cyber incidents cost more than $100M, report finds

Dive Brief:

Cyberattack-related costs range from 0.1% to almost 100 times an organization's revenue, according to Cyentia's Information Risk Insights Study of 103 largest cyber incidents since 2015. The report defines a "significant" cyber incident as one that "often results in damage to a company’s reputation, increases its oversight by regulators, and can even impact the careers of the executives involved."
The median loss for "extreme" incidents was $47 million, but 28% of incidents cost more than $100 million. Only 5% of affected companies — Facebook, Experian, Equifax, Merck and FedEx — had more than $1 billion in loss.
Of the examined incidents, 27 were reported in SEC filings while 23 led to government inquiry. The SEC lacks "quantifiable criteria" for reporting incidents. Financial reports didn't always disclose exact monetary losses, and instead the language often was written, "could be as much as $X" estimates, according to the report.

Dive Insight:

Fallout from cyber incidents goes further than recovery costs or lost revenue. Instead, business as a whole is at risk.

Ashley Madison's 2015 data breach led to the cancellation of its IPO valued at $200 million. The breach is a "good example of the many gray areas in conducting research on the impact of cyber events," according to the report.

While Ashley Madison's data breach was unique in the customer rebuke it drew, consumer condemnation of targeted companies is not always predictable. Reputational damage "is an often discussed aspect of costs due to breaches and one we were hoping to find some hard data on," said David Severski, senior data scientist at Cyentia and one of the report's authors.

"We were surprised that none of the publicly verifiable sources … gave any sort of evidence of recorded costs in this category," said Severski. Attribution of where and how cyberattacks impact different operations within an organization are nuanced, without a clear price tag.

"Measuring those lost opportunity costs of potential sales not made, renewals not signed … is hard for many firms to directly tie to events," he said.

Response to an attack, followed by lost productivity and fines accounted for the top-three forms of monetary loss. "The after effects of this lost investment are likely to be felt for years after a breach originally occurs," said Severski.

When the EU's GDPR and California's CCPA went into effect, they influenced a change in corporate "behavior" for data collection. Though GDPR has been in effect since 2018, "we saw no evidence of increasing losses due to GDPR," said Severski, though he expects more data will become available as penalties are issued.

Forty-three of the inflicted businesses experienced business interruption, costing nearly $10 billion. Thirty incidents had data disclosures, resulting in $1 billion in losses.

"The volume of these breaches appears, at least so far, to be relatively stable. What does change is the mechanism by which these breaches come to pass," said Severski. The ransomware mechanism, in particular, has been evolving since 2017.

NotPetya set the stage for globally destructive malware. Total losses peaked in 2017 when NotPetya accounted for 75% of cyber events during that quarter. NotPetya was responsible for 20% of the report's incidents, with losses totaling $3.5 billion.

In 2018, the White House attributed the NotPetya attack to the Russian military, and between 2015 and now, 43% of the studied cyberattackers were caused by nation-state actors. "That really opened our eyes to the fact that CIOs-CISOs can't chalk that up to something that just secret government agencies and the defense industrial base have to worry about," said Severski.