Cost of Cyber-Events Worsening for Large Businesses

The Fortune 1000 will face significant cyber-loss events in future and will see costs mount up.

According to a new research paper by the Cyentia Institute, it is estimated that one in four Fortune 1000 businesses will suffer a cyber-related loss event, whilst there is a 6% chance that a Fortune 1000 firm will lose $100m or more in a 12 month period due to cyber-events.

The 2020 Information Risk Insights Study claimed that, in costs accrued to cybersecurity loss events, 10% of incidents would exceed $20m, with information services and retail sectors the most impacted and showing “abnormally high losses that exceed many other sectors by a factor of 10.”

Speaking to Infosecurity, Cyentia partner and co-founder Wade Baker said that having looked at 10 years of data and the frequency in reporting incidents, a larger organization is more likely to have a publicly-reportable incident. He added that Fortune 1000 businesses “are a bigger target and have a bigger target area and it is more likely that incidents make it into the headlines.”

Baker also acknowledged that not every incident is a “black swan,” and minor events were also considered for this research, “like if you violated the telephone privacy act and called a number you were not supposed to.”

The report also dismissed other research aiming to provide a cost per record in a data breach, as it stated that the “traditional method of estimating breach losses — using a flat cost per record — is flat-out wrong” as it results in a $1.7tn margin of error from overestimating losses. Baker said that the typical “cost per breach” research has “been around for a long time, and is a well-run course and that the typical estimations of $150 per record are not accurate and often are “grossly inaccurate.” 

Baker explained that a typical incident can result in a cost of a quarter of a company’s revenue, and in some cases, that can be absorbed by a larger organization who lose more money, but for a small business the cost may be less, whilst the impact on them can be greater.

He said: “One thing we are hoping to give is another option to quote the defacto way to cost a breach.” Baker also said that it is important to have a realistic cost for a breach to be able to do better planning, and if you do have a breach, know what the cost can be.

“Not every breach is a business ending event but it is a material event on the financial reporting sheet,” he said. “Some companies pay expenses to clear it up and go on, and so it is important to have a more accurate assessment of cost and of budget so it is in line with your risk tolerance.”

However, the statistics read more positively for small to medium businesses, as SMBs have breach rates below 2% and are less likely to suffer 10 or more incidents in a year. However, Baker acknowledged that there are more SMBs in the world than businesses in the Fortune 1000, so 2% is, in fact, a lot of companies.

What’s Hot on Infosecurity Magazine?