A Journal of Cybersecurity article earlier this year concluded that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Based on a sample of more than 12,000 cyber events that include data breaches, security incidents, privacy violations and phishing crimes, the authors found that the cost of a typical cyber incident in that sample is less than $200 000 (about the same as those firms’ annual IT security budgets), representing only 0.4 percentof their estimated annual revenues.
Our Perspective:
This study may be placing too much emphasis on “counting the trees” and not enough on understanding the value of the “forest.”
For companies in industries like energy, on which the public relies for essential goods and services, reliability and reputation are an integral part of the product or service. So measuring damage from a cyberattack by adding up the costs of breaches, bad debts and fraud risks but not the cost of service interruption or reputation damage minimizes an incident’s true impact.
Similar to the experience of other industries, significant damage from a cyber incident will be seen in the erosion of the customer’s confidence and trust that is the underpinning of future business, or in potential regulatory overreach that can unduly constrain future operations. The impact to reputation, and its implied customer loyalty, can be serious.
In addition, the study identifies the mining and oil and gas industry as suffering the highest litigation rate among all other industries, with more than 30 percent of all cyber events litigated. Therefore, it is wise for the industry to stay focused on this area.
Companies should not be complacent about cybersecurity or rely on the findings of a single report. The consequences and costs of a cybersecurity breach can vary widely, based on the company’s size, customer base, regulatory oversight and other factors. Because the threats and risks related to information security change so quickly, an annual security assessment is recommended so that companies can keep an eye on these trends and evaluate their information security programs in this ever-changing context.