How much do US businesses lose due to malicious cyber activity?
Hardly a week goes by without a cyber incident making national news.
A recent example is a troubling attack on a water treatment facility in Indiana by Russian hackers. Luckily, this intrusion did not cause a major disruption to the plant’s operations, but it did raise concerns about what is to come.
While unsettling, such attacks are not surprising, given that nation-state-affiliated hackers often target critical infrastructure. Policymakers need to better understand which businesses and sectors of the economy are most at risk and help ensure that they are properly protected.
Fortunately, cyberattacks on critical infrastructure still make up just a small fraction of the overall malicious cyber activity aimed at U.S. businesses. In a recent paper, we compiled a dataset of adverse cyber events experienced by publicly traded firms in the U.S. Most likely due to stringent reporting requirements, the most prevalent cyber incidents involve theft of personal information belonging to customers and employees. Despite the Securities and Exchange Commission’s requirement for firms to disclose “material cybersecurity incidents,” there is ambiguity regarding which incidents qualify as material. Firms are generally reluctant to disclose bad news, which results in widespread underreporting.
Generally, cyber events, such as destructive cyberattacks, which impede firms’ operations and destroy equipment; ransomware attacks, which freeze firms’ data until a ransom is paid; and distributed denial of service attacks, which prevent users from accessing company’s websites, can be observed by outsiders even without formal reporting. However, other highly detrimental forms of cyber compromise, such as industrial espionage and cyber-enabled theft of funds, are engineered to remain concealed as long as possible, even from the victim.
Firms face different cyber risks depending on the nature of their assets and operations. Our analysis shows that the risks are greater for firms that possess intangible assets, such as personally identifiable information or intellectual property. Additionally, firms that are contractors for defense and other government agencies are disproportionately targeted by hackers. Specifically, firms working on a government contract face a 142 percent to 183 percent higher probability of a cyber incident in the coming year. Furthermore, firms that work on strategically important frontier technologies and in critical infrastructure also face a significantly higher cyber risk.
All this crucial information about firms can be easily obtained by hackers from public sources. For example, announcements regarding a firm securing a new defense contract are widely disseminated through corporate press releases and by the Department of Defense. It might be prudent for both government and the contractors to refrain from publicizing such information.
Firms that fall victim to an attack experience a spectrum of negative consequences, ranging from immediate expenses for forensic analysis and security enhancements to longer-term losses associated with reputational damage, weakened competitive standing, higher cost of capital, and the loss of customers and suppliers. On average, firms in the paper’s sample lose 1.3 percent of their market value in the month following a cyber-incident. There might be concern that this estimate is overstated because it is taken from reactions to particularly severe cyber incidents that became publicly known. However, research suggests that firms tend to withhold information on the more damaging incidents while disclosing the less severe ones.
Crucially, economic losses from malicious cyberactivity spill over to firms that use similar technologies or have economic links to the affected firms. We estimate that the cumulative losses stemming from these spillover effects amount to 3.8 times the loss incurred by the directly affected firm.
So how much money do U.S. businesses lose as a result of malicious cyber activity?
It is challenging to estimate because a great number of cyber compromises remain undetected or unreported. A helpful source that gives an insight into the prevalence of significant cyber incidents is the annual cybersecurity breaches survey commissioned by the UK government. The 2024 survey encompassed 2,000 UK businesses, with half reporting some form of cyber incident in the last year. Thirteen percent of these incidents resulted in material losses, suggesting that 6.5 percent of businesses suffer a serious cyber incident in a given year.
Assuming this probability also holds true for U.S. firms, we can perform a quick back-of-the-envelope calculation can estimate the magnitude of total losses.
We can start with an aggregate market value of all domestic publicly traded firms of $46 trillion, and a value of all private businesses of $13.6 trillion, or $17.5 trillion in today’s dollars. We can further assume a 6.5 percent of businesses experience a material cyber incident in a given year which, resulting in an average loss of 1.3 percent of the company’s market value. Accounting for the negative spillover effects, we estimate the total loss incurred by public and private companies to be almost $264 billion.
If we exclude the spillover effects for private companies, which may be less interconnected, the total loss comes to $207 billion. These figures amount to between 0.8 percent and 1 percent of the 2023 U.S. GDP.
While these estimated losses are large, there is a silver lining, as not all losses incurred by businesses are dead-weight losses or wealth transfers from firms to cybercriminals. The growth of malicious cyberactivity has spurred innovation in the burgeoning cybersecurity sector, which is quickly becoming an export sector for the U.S. economy. The expansion of this sector is imperative to help U.S. businesses in strengthening their defenses against future threats, and ultimately rendering cybercrime less lucrative.
Anna Scherbina is a nonresident senior fellow at the American Enterprise Institute (AEI) and a professor of finance at Brandeis University’s International Business School.
Date: |
Filter
-
How much money the U.S. spends on war
American military spending reached $916 billion in 2023, which accounts for more than a third of the world's total military expenditure.CNBC - Business -
How did the NFL do with its matchups for Amazon, ESPN+, Netflix and Peacock?
The NFL can't make all of their network and streaming partners happy.Yahoo Sports - Sports - NFL -
Ask Shrimsley: how do I get my kids off their phones?
Google it! Just kiddingFinancial Times - Business
More from The Hill
-
Jeffries calls on Alito to apologize for 'disrespecting' American flag
House Minority Leader Hakeem Jeffries (D-N.Y.) called on Supreme Court Justice Samuel Alito Friday to apologize for “disrespecting” the American flag. “Samuel Alito should apologize immediately for disrespecting the American flag and sympathizing ...The Hill - Politics -
Putin tightens war machine
Welcome to The Hill's Defense & NatSec newsletter {beacon} Defense &National Security Defense &National Security The Big Story Putin tightens up his war machine Russian President Vladimir Putin’s post-inauguration Cabinet reshuffle and military ...The Hill - Politics - Russia -
What do Biden's tariffs mean for the energy transition?
Welcome to The Hill's Energy & Environment newsletter {beacon} Energy & Environment Energy & Environment The Big Story New tariffs could slow climate tech adoption As the Biden administration slaps new import tariffs on a range of metals and ...The Hill - Politics - Joe Biden -
Trump agrees to VP debate on Fox after Biden campaign accepts CBS invite
Former President Trump and President Biden quickly came to terms on two presidential debates during a Wednesday whirlwind. But the campaigns don't seem to be on the page about the vice presidential contest, or additional debates. In two posts to ...The Hill - Politics - Joe Biden -
CDC ending program for free COVID vaccines early for some
Click in for more news from The Hill {beacon} Health Care Health Care The Big Story CDC moves up expiration date for uninsured COVID vaccine program The Centers for Disease Control and Prevention (CDC) is ending a federal program to provide ...The Hill - Politics - Covid