Impact of cyber attacks

In a risk assessment, total risk is often calculated as a product of probability and impact. To make a proper risk assessment of cyber attacks, companies need to know both the probability and the impact of cyber attacks. This article explores the impact. What are the consequences of getting hacked?

Introduction

If a company gets hacked, this results in technical costs to recover from the hack as well as damage to the public image of the company, impacting sales. This latter category is hard to estimate, as in most cases it is hard to say what would have happened if the company didn’t get hacked. Nevertheless, several studies attempted to calculate the total cost of a cyber security breach. And the results of these studies are over the place:

Among the 46 per cent of businesses that detected breaches in the last 12 months, the survey finds that the average business faces costs of £ 1,570 as a result of these breaches. [11]

Therefore, the estimates of damage run into hundreds of millions of dollars, supporting the assertion that the risks of targeted cyber-attacks are not exaggerated. [6]

So we can be sure that the costs range from £ 1,570 to hundreds of millions of dollars. That’s quite a range, so let’s break it down.

Possible negative results of a hack

A company that gets hacked experiences many cost factors. It takes work to recover from the hack. Users may lose trust in the company and take their business elsewhere. In this article we will look at these possible damages from a hack:

cost of investigating the hack;
cost of reinstalling systems and otherwise recovering technically;
brand damage and loss of sales;
lost revenue due to denial of service;
loss of intellectual property or valuable data;
legal defense;
fines.

Cost of investigating

A hack is rarely detected by a watchful system administrator. Often a company only notices something is wrong when data has been manipulated, or their records become available on the internet. Then it is a big task to find out how the hack took place. This is quite a lot of work and has to be done carefully. Often, a consultancy firm specializing in this type of assignment is hired. If there is suspicion of a crime, a forensic team needs to analyze the evidence.

This type of cost depends largely on the type of hack. If it is immediately obvious how the company got hacked the investigation may be over quickly. For large, complex companies that only notice the breach when their records are published, this become quite costly.

Sony spend $15 million “in investigation and remediation costs” [17], which suggests that investigation is a substantial part of that.

Cost of technical recovery

After a hack, systems need to be reinstalled and redeployed to make sure nothing of the hacker leaves behind. Although this can be quite costly, the expenses can be reasonably calculated beforehand. Another factor of the cost is that the employees that are reinstalling systems can not work on anything else, so there may be a delay in projects.

Brand damage and loss of sales

A cyber attack can significantly influence the way people view the company. Customers lose trust in the company because it has been hacked, and this results in loss of sales. According to [2], the growth in sales can be cut almost in half:

We find that large firms experience a significant decrease in ROA, cash flow, and sales growth after the attacks. The decrease in sales growth is of 3.4 percentage points […], which is large compared to the average sales growth of 8 percent the year before the attack for the sample of affected firms.

Lost revenue due to denial of service

A cyber attack can temporarily disrupt operations. The cost depends on how vital your IT infrastructure is to your work and how much turnover you lose in a given amount of time. In the 2017 NotPetya ransomware attack on Maersk, the shipping company’s computers were down for several weeks [4]. A company with a yearly revenue of 30 billion dollars was brought down to a halt for a couple of weeks.

Loss of intelectual property or valuable data

In a cyber attack, confidential data can be compromised. The cost of this is hard to express in money, but here is an example:

For example, an employee of Valspar Corporation unlawfully downloaded proprietary paint formulas valued at $20 million, which he intended to take to a new job in China, according to press reports. This the represented about one-eighth of Valspar’s reported profits in 2009, the year the employee was arrested. [5]

Legal defense

If you got hacked because your security was criminally bad, your customers may sue you for exposing their data. Lawyers are expensive, and especially in the U.S. the cost of a legal battle can escalate quickly.

Just last week, Target agreed to pay $10 million in a proposed settlement of a class-action lawsuit related to a huge 2013 data breach. [17]

Fines

Especially in Europe there exists laws how to protect customer data, such as the GDPR. Breaking that law and exposing customer data may get you fined, up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. These fines are real and significant, as TalkTalk discovered in 2016:

Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”. [12]

And again in 2017:

The Information Commissioner’s Office has fined TalkTalk Telecom Group PLC £100,000 after it failed to look after its customers’ data and risked it falling into the hands of scammers and fraudsters. [13]

Factors influencing impact

The impact of a cyber attack greatly depends on the type of company and type of attack. Several factors increase the cost of a cyber attack. The impact is higher when:

the attack follows an earlier attack [2]
the attack results in loss of personal information [2]
the company is in the health, financial or services sector [9]
the company is older [2]

On the other hand, the impact is lower when:

the company has an incident response team [9]
the company has a risk management committee on the board [2]
the company trains employees on cyber security [9]
the company makes extensive use of encryption [9]

Case studies

Target

In December 2013 hackers attacked the retail store Target and acquired 70 million customer records. Target is a fairly large company with a revenue of about $73 billion yearly and net earnings of about $3 billion yearly. The direct cost of the hack are reported as $61 million:

In the fourth quarter of 2013, we recorded $61 million of pretax Data Breach-related expenses, and expected insurance proceeds of $44 million, for net expenses of $17 million ($11 million after tax), or $0.02 per diluted share. […] Expenses include costs to investigate the Data Breach, provide credit-monitoring services to our guests, increase staffing in our call centers, and procure legal and other professional services. [18]

These are the costs directly following the hack, so these do not include legal services and settlement costs. In the end, Target’s earnings before interest and tax decreased by more than a quarter:

Target’s EBIT decreased by $1.59 billion (-28.6%) from $5.52 billion during the four quarters prior to the breach to $3.94 billion during the four quarters after the breach. In addition, Target reported data breach-related expenses of $292 million including the settlement of class action lawsuits and investigations by state prosecutors in its 2016 10-K. [2]

Cryptocurrency exchanges

Bitcoin exchanges trade in cryptocurrency and as such absolutely need the trust of their customers. Unlike other data breaches, compromise of bitcoin can directly transfer ownership of a lot of money. As such, cryptocurrency hacks have typically very large impact, often with the end of the company as the result.

Mt. Gox lost $450 million in bitcoins and has filed backruptcy.
Bitfinex had $73 million stolen and is struggling as a company.
Bitfloor had $25,000 stolen and ceased operations the next year.

For a cyptocurrency exchange, cyber security is of vital importance. Getting hacked often results in both losing a large sum of money and total lose of trust from the customers.

Equifax

Equifax is an U.S. consumer credit agency with a yearly revenue of around $3.4 billion. In 2017, an attack compromised 145 million consumer records. In November 2017, it spent $87.5 million on direct costs relating to the breach, and lost about a quarter in lost income:

Its net income fell 27 percent to $96.3 million in the third quarter. [20]

The total cost of this hack is still unclear, as lawsuits and investigations still go on. However, early 2018 it was already fairly astronomical:

That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance. [19]

It surprises me that Equifax hasn’t ceased operations. Their data is their core business and virtually all of them were compromised. The brand name has been irreparably damaged. Still, the company thinks it can continue doing business after the hack. Apparently Equifax wasn’t totally destroyed yet after the hack.

Conclusion

Although numbers vary on how much they cost exactly, we can conclude that hacks are very expensive. Both direct costs (investigation and recovery) and indirect costs (loss of sales) are significant. For large hacks, costs of the hack can be around 10% of yearly earnings, and can result in more than a quarter in lost earnings following the hack.