When it comes to cyber attacks, inaction is equal to the power of evil intent: according to the Ponemon Institute, negligence causes 39 percent, and criminal attacks cause 37 percent, of all data breaches.
On the other hand, organizational readiness to tackle emerging cyber risks is paying off. While the cost of a data breach to companies increased by about 7 percent from 2008 to 2010, it decreased by 24 percent—from $7.2 million to $5.5 million—from 2010 to 2011. Damages include lost business, diminished customer trust and resources put towards credit report monitoring.
"Companies have improved steps taken in both preparing for and responding to a data breach," writes Robert Hartwig, economist and president of the Insurance Information Institute (I.I.I.).
Malicious code is involved in 26 percent of all cyber attacks, followed by denial-of-service attacks, information gleaned from stolen devices, and malicious insider activity.
The expensive repercussions of these attacks include information loss (44 percent of associated costs), business interruption (30 percent of costs) and loss of revenue (19 percent of losses).
The number of data breaches, and their correlation to exposed records, is more difficult to pinpoint as the reported figures fluctuate from year to year. According to the Identity Theft Resource Center, there were 157 breaches in 2005 that caused the exposure of 66.9 million pieces of information. Jumping forward to 2008, 656 breaches exposed 35.7 million records. But in 2009, there were 447 breaches and only 17.3 million data exposures.
The center notes that while data-breach incidences have stayed above 400 since 2010, there were only 16.2 million, 22.9 million, and 17.3 million record exposures each year from 2010-2012, respectively.
This should not be taken as a sign to relax, writes Hartwig, who notes that former U.S. Homeland Security Secretary Janet Napolitano "recently warned that a major cyber attack is a looming threat that could have the same type of impact as Superstorm Sandy, knocking out power to a large swath of the Northeast," with water, electricity and gas especially exposed to infrastructure damage.
Hartwig also says the reported numbers themselves mightnot be entirely accurate. He says as federal agencies like the SEC begin to require disclosure for public companies on cyber attacks, the number of reports will increase. "I think that reporting of cyber attacks is erratic and still in its infancy and so there's no consistency in the numbers," he says. "Many companies and government agencies simply do not disclose attacks for fear of spooking customers, investors and other constituents."
Hartwig adds, "While it's absolutely true that there have been large investments and improvements in cyber security that continue to thwart the majority of attacks, would-be cyber assailants do not sit by idly. Rather, their techniques and technology continue to evolve at a rapid pace. We need also be concerned about the threat of cyber terrorism and state-sponsored cyber attacks (e.g., China, Syria)."
The majority of the 447 data breaches reported in 2012 affected businesses (37 percent) and medical and healthcare companies (34.5 percent), far outpacing attacks on military and banking operations. The I.I.I. says LinkedIn, eHarmony, Zappos and Yahoo all experienced major public breaches last year.
However, when systemically important organizations get hit, they get hit hard: the government and military led all other sectors in number of records lost last year (7.7 million records, or 44.4 percent of all data lost to cyber attacks).
Thefts on banking and financial institutions still lagged behind in all categories, accounting for 3.8 percent of all breaches and 2.7 percent of records exposed in 2012. A March 2013 attack on South Korean banks and media companies paralyzed money machines across the country, and last year, card processor Global Payments lost 1.5 million cardholder payment card numbers.
Despite the rising costs and media attention given to cyber attacks in recent years, Harvard Business Review Analytic Services reports that less than 20 percent of all companies purchase cyber risk insurance to cover their costs in case of loss.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.