The median loss for “extreme” cyber events is $47 million, with one in four events reaching over $100 million, but new research from Cyentia revealed that organizations can experience very different impacts based on their incident response strategies.
Earlier this year, Cyentia published the Information Risk Insights Study to evaluate the wide-ranging costs tied to data breaches, using cyber loss data from Advisen. In this follow-up, researchers looked at 103 “extreme” events to further identify factors that can lead to even higher costs.
For the purposes of the study, Cyentia and research partner VisibleRisk deemed any event causing a loss over $20 million to be extreme. While most were around the median cost of $47 million, the study also included the $1 billion-plus losses experienced by Equifax, Experian, FedEx, Merck, and Facebook.
Business interruption is by far the largest contributor to event costs, and the research revealed that most extreme events occur through hacks or system intrusions, followed by ransomware. Such breaches are the most frequent and most costly, but Cyentia also emphasized that fraud or scam events occur less frequently (in about 10% of events) but contribute 30% of the costs.
Relative losses for organizations ranged from less than 1% of revenue to over 130% for the 10 largest events in the study sample – smaller and mid-sized businesses tended to experience much more harm from a major cyber event than larger ones. For example, a $5.1 billion loss for Facebook represented only 7.2% of revenue while a $32 million hack of Japanese cryptocurrency exchange Bitpoint (parent company Remixpoint) equated to 74.1 times their revenue.
There are also consequences beyond the direct financial impacts, Cyentia noted. Organizations face loss of competitive advantage, productivity loss, reputational damage, “executive churn,” and fines and penalties. The study didn’t evaluate hard numbers on reputation and competitive advantage, but response costs tend to be the highest among all other types of loss.
“Though not the largest relative loss, one event worth highlighting is the infamous Ashley Madison (Ruby Corp) breach, where the losses reflected a cancelled IPO estimated at a value of $200M (many times their annual revenue),” researchers said. “This also serves as a good example of the many gray areas in conducting research on the impact of cyber events. Ashley Madison didn’t actually lose that money out of pocket, but it’s a reminder of softer opportunity costs that also need to be considered.”
Notably, Cyentia found that poor response increases costs, significantly higher for organizations that are perceived to have mishandled the response. This elevated the median cost of events from $39 million to $109 million.
“The takeaway? If you are unfortunate enough to experience one of these extreme events, making obvious errors in your response process is an ‘own goal,’” said Cyentia, citing the public response to Equifax’s data breach as well as a reduced credit rating from Moody’s for the credit reporting agency.
Cyentia also found that firms required to report their cyber events in Securities and Exchange Commission (SEC) filings tend to see median losses three times higher than that of other public firms with extreme events. Of the events evaluated in the survey, 21 resulted in government inquiries, hearings and investigations.
“That shouldn’t be taken to mean reporting incidents increases losses, but rather confirmation that losses triggering the materiality clause tend to be larger than those that don’t,” Cyentia said.
Following a spike in 2017 due to the NotPetya attack that affected businesses around the world, extreme loss events seem to be occurring more regularly, but Cyentia noted that the data doesn’t definitively confirm that.
Most extreme events (82%) occur due to external malicious actors, with state-sponsored actors causing the most harm. Cyentia attributed 43% of events and $7 billion in losses to state actors rather than cybercriminal groups. Credential attacks lead the list for actions that give rise to extreme loss events, according to the study, caused 46 out of the total and $10 billion of the total studied losses.