More than a quart of severe cyber breaches result in expenses exceeding $100 million, according to a recent study.
The world of cyber security has seen a significant shift in the past few years, with the number of attacks remaining relatively stable yet the mechanisms behind them evolving rapidly. This is according to the "Cyentia's Information Risk Insights Study" which analysed the 103 largest cyber incidents since 2015.
One of the most devastating attacks was NotPetya in 2017, which accounted for 20% of the reported incidents and caused losses totalling $3.5 billion. The global shipping giant, Maersk, suffered the highest losses due to this cybersecurity attack.
The study also revealed that nation-state actors were responsible for 43% of the studied cybersecurity attacks between 2015 and now. Notably, the attack on Maersk was attributed to the Russian military by the White House.
Ransomware, a type of malicious software, has been a growing concern since 2017. Thirty incidents in the study had data disclosures, resulting in $1 billion in losses. The median loss for what the study terms as "extreme" cybersecurity incidents was $47 million, with 28% of incidents costing more than $100 million.
Corporate behaviour for data collection has changed due to the implementation of regulations such as the EU's GDPR and California's CCPA. However, attribution of where and how cybersecurity attacks impact different operations within an organization remain nuanced, without a clear price tag.
Reputational damage is often discussed as a cost due to breaches, but the report found no publicly verifiable sources giving evidence of recorded costs in this category. On the other hand, forty-three of the inflicted businesses experienced business interruption, costing nearly $10 billion.
The SEC lacks "quantifiable criteria" for reporting cybersecurity incidents, and financial reports often use vague language like "could be as much as $X" estimates. This makes it challenging for companies to accurately report their losses.
Despite the cancellation of its IPO valued at $200 million due to the 2015 data breach of Ashley Madison, it's clear that CIOs-CISOs can no longer consider such attacks as something that only secret government agencies and the defence industrial base have to worry about.
It's important to note that no evidence of increasing losses due to GDPR has been found so far, but more data is expected as penalties are issued. As businesses continue to digitalise, understanding and managing cybersecurity risks will become increasingly crucial.
