“We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.” That’s from a February 2018 report, “The Cost of Malicious Cyber Activity to the U.S. Economy,” by the Council of Economic Advisors – part of the Office of the President. It’s a big deal.
The White House is concerned about a number of sources of cyber threats, including from nation-states, corporate competitors, hacktivists, organized criminal groups, opportunists, and company insiders.
It’s not always easy to tell exactly who is behind some event, or even how to categorize, but the report says that it breaks down as roughly 25% insiders, 75% outsiders. “Overall, 18 percent of threat actors were state-affiliated groups, and 51 percent involved organized criminal groups,” it says.
It’s More Than Stolen Valuables
The report points out that the economic cost includes many factors, including the stolen property, the costs of repairs – and opportunity lost costs.
For example, the report says, “Consider potential costs of a DDoS attack. A DDoS attack interferes with a firm’s online operations, causing a loss of sales during the period of disruption. Some of the firm’s customers may permanently switch to a competing firm due to their inability to access online services, imposing additional costs in the form of the firm’s lost future revenue. Furthermore, a high-visibility attack may tarnish the firm’s brand name, reducing its future revenues and business opportunities.”
However, it’s not always that cut-and-dried, as intellectual property theft shows: “The costs incurred by a firm in the wake of IP theft are somewhat different. As the result of IP theft, the firm no longer has a monopoly on its proprietary findings because the stolen IP may now potentially be held and utilized by a competing firm. If the firm discovers that its IP has been stolen (and there is no guarantee of such discovery), attempting to identify the perpetrator or obtain relief via legal process could result in sizeable costs without being successful, especially if the IP was stolen by a foreign actor. Hence, expected future revenues of the firm could decline. The cost of capital is likely to increase because investors will conclude that the firm’s IP is both sought-after and not sufficiently protected.”
Indeed, this last example is particularly worrisome because, “IP theft is the costliest type of malicious cyber activity. Moreover, security breaches that enable IP theft via cyber may go undetected for years, allowing the periodic pilfering of corporate IP.”
Affecting the Economy
Do investors worry about cyber incidents? You bet. And it hits the share price of companies. According to the White House report, “We find that the stock price reaction to the news of an adverse cyber event is significantly negative. Firms on average lost about 0.8 percent of their market value in the seven days following news of an adverse cyber event.”
How much is that? Given that the study looked at large companies, “We estimate that, on average, the firms in our sample lost $498 million per adverse cyber event. The distribution of losses is highly right-skewed. When we trim the sample of estimated losses at 1 percent on each side of the distribution, the average loss declines to $338 million per event.” That’s significant.
Small and mid-sized companies can be harder hit by incidents, because they are less resilient: “Smaller firms, and especially those with few product lines, can easily go out of business if they are attacked or breached.”
Overall, the hit by cyber incidents cost the U.S. economy between $57 billion and $109 billion in 2016 – that’s between 0.31% and 0.58% of that year’s gross domestic product (GDP), says the report. That’s lot, but it could be worst. Let’s hope this amount doesn’t increase – by, say, a full-fledged cyberwar or significant terrorist incident.