Calculating the true cost of a cyber attack is difficult. None are the same, and companies respond differently. Yet it’s important to report on this in as much detail as possible to accurately represent the full picture of when this happens to your business.
Suffering an attack usually comes with very large consequences. Taking preventative measures must be a priority for any company conducting business and having data online.
Financial costs
Probably the most obvious reason a company is concerned about cyber attacks, is the financial costs they come with. We’ll look at this in as much detail as possible, starting with direct costs.
Fines and legal fees
Legal fees and fines jump to mind first. Regulations like GDPR, HIPAA, PCI DSS are most often breached, with hefty fines as a result.
In 2018 British Airways received a £183m fine, later reduced to £20m. Read that full story here. And very recently Kaiser Permanente breached the HIPAA rules which we reported on here. In both these cases, user data was exfiltrated through the client-side which could’ve been seen and prevented.
But Meta is currently leading the pack in case of setting the record fine. In May 2023, Ireland’s DPC fined Meta Ireland €1.2 billion for violating GDPR. The penalty relates to data transfers from the EU/EEA to the US without sufficient privacy safeguards.
Revenue loss
Downtime during an attack can halt business operations, leading to significant revenue losses. IBM's Cost of a Data Breach Report 2023 found that the average cost of a data breach is $4.45 million, with lost business representing the largest share of this cost.
This number is up a few hundred thousand every year, and is only the average.
In the recent Polyfill attack, Google stopped serving ads to websites with the malicious script on them. This put pressure on the site owners by taking away their ad revenue in order to remove the scripts.
Google is now sending a warning about loading 3rd party JS from domains like polyfill.io bootcss.com bootcdn.net & staticfile.org that may do nasty things to your users if your site uses JS from these domains. pic.twitter.com/EUVAgbFXJn
— Michal Špaček (@spazef0rze) June 25, 2024
Regardless to say, this was a great reaction by Google. But, it also damaged the site's ad revenue until they took action, which is a cost they suffered.
Customer compensation
When customers are impacted, they often rightfully sue for compensation. In 2019, Equifax agreed to a near $700 million settlement for federal and state investigations into a breach affecting about 150 million people, with $425 million of the settlement going directly to the consumers impacted.
Reputational damage
Reputation is an invaluable asset, and a cyberattack severely damages trust. Negative media coverage puts extra pressure on businesses going through an attack and its aftermath. Even though Marriot booked profits in 2018, it’s fair to assume that they received a few less bookings after their 2018 data breach which affected 500 million guests.
Or remember when Yahoo disclosed two significant breaches and their acquisition price was slashed by $350 million.
We often only consider the immediate impact, but there’s also a long-term one. Calculating those is nearly impossible, but the 2018 Cambridge Analytica scandal serves as a perfect example.
The fallout from this scandal was massive and reached world-wide news channels for weeks. Cambridge Analytica later announced that it would cease all operations due to the reputational damage being so severe that it drove away virtually all of its customers and suppliers.
Operational disruption
Downtime is another immediate result of a cyber attack. The ransomware attack on Norsk Hydro in 2019 resulted in an estimated operational disruption cost of $71 million in the first week alone. In that example, 35,000 employees had files, servers and PCs locked. IT and security teams must shift focus and respond to the breach, delaying other projects. Often external teams are brought in to help fix the issue, which drives up costs even more.
Paying ransom
In that same Norsk Hydro example, the attackers left a note saying:
“The final price depends on how fast you contact us.” and requested to be paid in Bitcoin.
Norsk Hydro instead opted to restore their data through trusted back-up servers.
But London-based foreign currency exchange Travelex was targeted by the ‘Sodinokibi’ ransomware group on New Year’s Eve of 2019. The attackers encrypted Travelex’s data and initially demanded $6 million.
The readme file left behind on their systems said:
“It is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities – nobody will not co-operate with us. It is not in our interests. If you do not co-operate with our service – for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.”
After negotiations, they paid a $2.3 million ransom to regain access to their files. The attackers gave the key to solve the encryption, and Travelex resumed operations.
Technology and infrastructure upgrades
After being targeted by the ‘LockBit’ ransomware group in January 2023, Royal Mail from the UK faced severe operational disruptions. The attack particularly impacted their Heathrow Worldwide Distribution Center, which processes almost all mail entering and leaving the UK, resulting in chaos.
To remediate the attack and bolster their security, Royal Mail spent approximately £10 million in the next six months upgrading their infrastructure following the attack. This was reported as a 5.6% yearly increase in infrastructure costs for the company.
Additional hidden costs
Besides the obvious costs mentioned above, most articles reporting on the total costs after a cyber security attack almost always fail to include the following:
Increased insurance premiums
Cyber insurance premiums can rise significantly after an attack. According to the Cyber Insurance Seeing Influx of Newcomers as Risk Awareness Grows report, 77% of survey respondents experienced annual premium hikes, driven largely by an increase in claims from data breaches and other cyber incidents.
Insurance not paying out
While it wasn’t a cyber attack, the recent Crowdstrike debacle seems to also cause significant insurance problems. They were at fault for creating a lot of damage but since it wasn’t a cyber attack, insurance companies are hesitant to pay out.
If anybody is wondering where cyber insurance stands on CrowdStrike - I have friends at 3 different insurers, and they all say they won't cover the claims as they're outside the policy.
— Kevin Beaumont (@GossiTheDog) July 22, 2024
These insurances aren’t iron-clad, causing companies to be left with the bill in cases like this. A lawsuit is almost definitely pending to recuperate suffered costs and losses against Crowdstrike.
Long-term revenue losses
Customer attrition following a breach can lead to long-term revenue decline. In the US, PCI Pal reports that 83% of consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and over a fifth (21%) of consumers claim they will never return to a business post-breach.
Stock price decline
Publicly traded companies often see a dip in their stock prices following a breach. In October 2023, Okta disclosed a data breach which, coupled with Okta's delayed response, led to a notable drop in their stock price. Following the disclosure, Okta’s share price fell nearly 12% as investors reacted to the news and the potential long-term implications of repeated security issues.
And, to come back to the Crowdstrike example, Crowdstrike's stock fell drastically, erasing millions in value on paper.
Vendor and partner relations
While reported examples are rare, it’s not a far stretch to imagine that partners and vendors look for new opportunities when a company gets attacked.
Opportunity costs
Opportunity costs occur when teams must shift focus to deal with the breach, and help secure the company post-attack. This takes time of employees, and often additional resources which could hinder innovation and progress, as well as just increasing the monthly costs of added tools.
Intellectual property theft
In 2011, AMSC’s largest customer, Sinovel Wind Group, illegally obtained AMSC’s source code for wind turbine software. The Court investigated this issue and concluded:
“Rather than pay AMSC for more than $800 million in products and services it had agreed to purchase, Sinovel instead hatched a scheme to brazenly steal AMSC’s proprietary wind turbine technology, causing the loss of almost 700 jobs and more than $1 billion in shareholder equity at AMSC,”
The true cost of a cyber attack
So calculating the true cost of a cyber attack is tough, since each incident and response varies. But it's crucial to understand the full picture beyond immediate financial losses. The repercussions of a cyber attack can be devastating, affecting not only finances but also reputation, operations, and long-term viability.
To get some idea of actual costs, Accenture estimates the cost of cybercrime worldwide to reach $10.5 trillion in 2025. It also has observed a 200% increase in levels of disruption in this space from 2017 to 2022.
We think it’s fair to say that attention should be paid to cybersecurity in the broadest of terms.
Preventative measures should be a top priority for any company. Which is why we developed our approach to stop 0-day third-party script attacks. By understanding the impacts, we hope this serves as extra motivation to get ahead of any potential issues.
Don’t be the story, you can start with c/side for free today.