Posted in:

Totalling the financial impacts of cyber attacks

Cyber attacks continue to create de facto cost centres that squeeze enterprise finances. The pain is incremental – and every little hurts. By James Hayes.

Accenture’s Securing the Digital Economy Report 2019 reckons that, over the next four years, the commercial sector companies risk losing an estimated €4.3trn in value creation opportunities from the digital economy – almost the size of the economies of France, Italy and Spain combined – to cyber attacks.

This equates to 2.8% in lost revenue growth for a large global company. High-tech industries face the highest risk, Accenture states, with more than €627bn of their revenue likely to be lost.

At the same time, ‘economic attack surfaces’, so to term them, have continued to add up. Regulatory compliances introduced since 2018, for instance, such as the European General Data Protection Regulation – GDPR – have proved a two-pronged tap on corporate coffers. Not only have they meant that many organisations have to expend more money to upgrade their cyber defences, but a number have also had to find yet more dosh to pay penalties imposed by their respective national regulators.

Some financial impacts have gotten more impactful. Intellectual Property (IP) theft, for instance, could be said to incur a much greater financial blow than it used to, as venture capitalists attract market funding that might previously have been invested in interest-yielding financial products. This means sums often twice or three times what they typically would have attracted just two years back. Should IP assets be compromised, funding can be cancelled.

Time is money, and timing itself has an increasingly key role in sizing the financial impact of cyber attacks. Despite some progress in foreshortening the time taken to detect a cyber incident or system breach, organisations still take too long to detect and contain, according to the Telstra Security Report 2020 from Telstra Corporation. The long-term issue is that time constitutes a commodity that’s arguably always on the side of cyber attackers. In some cases, organisations will never know when an attack has happened, how long it happened for, and how much it was business.

TOTAL COST ESTIMATE IS MOVING TARGET

The quantity and the severity of attacks and cost per attack will undoubtedly increase throughout the year, the Security Report 2020 explains. Costs associated with a breach are often multiple: e.g., damage to physical infrastructure, loss of IP, productivity downtime, and in some cases health and safety if the target is a physical system – e.g., a power grid or plant assembly line. And an attack to public services like transport could result in tens of thousands of euros-worth of compensation claims.

Growing awareness of the financial impacts of cyber attacks has brought forth several estimates as to their overall damage. The Cost of a Data Breach Study (2018) conducted by IBM and Ponemon

Institute estimated the global average cost of a data breach at €3.21m, an increase of 6.4% on the previous year (€3.01m). Downtime and operational losses due to cyber attacks, meanwhile, are another metric by which to assess the financial impacts.

Cybersecurity Ventures reckons cyber crime generally will incur a global cost in excess of €5trn annually by the end of 2021, up from €2.5trn in 2015. Cybersecurity Ventures’ damage cost projections are based on historical cyber crime figures including recent year-on-year growth, a dramatic increase in hostile nation state sponsored and organised crime gang hacking activities, and a cyber attack surface which will be an order of magnitude greater in 2021 than it is now.

It also factors-in reputational damage, and repercussions that arise therefrom (such as a fall in company share value and investor interest). This means that the overall financial impact across all these types of cyber attack incidents is difficult to determine with assured accuracy.

Some attempts factor-in a wide range of contributory factors – such as the ones outlined above – while others focus on ‘above-the-line’ incurrences. For instance, should the salary costs to employers of cyber-awareness training, recruiting additional IT security personnel, or contracting third-party security experts, count as defensive costs?

When chief executives are trying to figure out how their finances are being hurt by cube attacks, they should also be mindful of when the financial pain will occur, counsels IBM Security’s Cost of a Data Breach Report (2019). Its research found that about one-third of data breach costs occurred more than one year after a data breach incident in the 86 companies it was able to study over multiple years.

While an average of 67% of breach costs came in the first year, 22% in the second year, and 11% of costs occurred more than two years after a breach. The ‘long-tail’ costs of a breach were higher in the second and third years for organisations operating in highly regulated environments, such as the healthcare and finance industries. Organisations in a high regulatory environment saw 53% of breach costs in the first year, 32% in the second year and 16% more than two years after a breach.