- The median loss for incidents meeting our qualifications for “extreme” is $47M, with just over one-in-four exceeding $100M; five events racked up $1B or more in losses.Moving beyond mega-corporations, the probability of cyber incidents drops substantially. SMBs have breach rates below 2% and are orders of magnitude less likely to suffer several in a year.
- Relative to annual corporate revenues, losses from these events range from less than 0.1% to nearly 100 times the affected firm’s revenue!
- Response costs, lost productivity, and fines and judgements are the most common forms of loss in extreme events.
- Firms that bungle the incident response process show costs that are nearly 2.8 times larger than those without signs of poor response.
- Apart from hard costs, 27 events were reported in U.S. Securities and Exchange Commission (SEC) filings, 25 triggered executive changes, and 23 prompted government inquiry.
- Data breaches, ransomware, fraud, and cryptocurrency theft are by far the most common and costliest types of extreme cyber events.
- One in five of the largest losses over the last five years are attributed to state-affiliated actors. All told, they’re responsible for 43% of all monetary losses in this study!
- A single campaign, NotPetya, was responsible for nearly 20% of all financial losses across these 103 extreme events.
- Stolen passwords and other credential-related attacks led to more incidents (46) and more total losses ($10B) than any other threat action.
- Remote access malware planted by actors contributed to the second-highest totals for event frequency (31) and losses ($9.2B).
- Web application attacks placed third in frequency (25 events; $2B), but exploitation of known and patchable vulnerabilities ranked third in cost (22 events; $8B).
What will you see in the IRIS Xtreme?
This preview features two example charts on the range of data being explored in the IRIS Xtreme, but the full report includes far more charts analyzing this data in much greater detail.
The chart below demonstrates the full range of events first explored in the IRIS 20/20 report. That first report performed a review of the entire population of loss events. In this Xtreme follow-up we perform a deep dive into these largest of the large loss events to determine the causes and effects of these potentially catastrophic events.
This next chart shows the distribution of Xtreme events compared to the revenue size of the organizations affected. For the majority of organizations, even these catastrophic events represent 10% or less of their annual revenue. For an unlucky 14% of the firms, these extreme events result in costs that exceed annual revenues. These 14% of firms are typically the smaller firms (firms with less than $50 million in revenues).
View a Recording of our IRIS Xtreme webinar
- Over 60% of the Fortune 1000 had at least one public breach over the last decade. On an annual basis, we estimate one in four Fortune 1000 firms will suffer a cyber loss event. That ratio approaches 50% for the Fortune 250.
- Moving beyond mega-corporations, the probability of cyber incidents drops substantially. SMBs have breach rates below 2% and are orders of magnitude less likely to suffer several in a year.
- The likelihood of breaches also varies by industry. Government agencies, administrative and information services, and financial and management firms have the highest rates. Construction, agriculture, and mining occupy the lower end of the frequency spectrum.
- The traditional method of estimating breach losses—using a flat cost per record—is flat-out harmful. It results in $1.7 trillion of error due to overestimating losses compared to actual recorded values. We demonstrate a better method for more accurate cyber risk assessments.
- We can use the number of exposed records to estimate breach losses, but it’s probabilistic rather than deterministic. An exposure of 1,000 records has a 6% chance of exceeding $10M. By comparison, a massive breach of 100M records has a better than 50% chance of racking up at least $10M in losses.
- Financial losses following a cyber event typically run about $200K, but 10% of breaches exceed $20M. The cost of extreme events (95th percentile) to the mega corporations in the Fortune 250 approaches $100M (or more).
- Typical and extreme losses differ substantially among industries. The information services and retail sectors show abnormally high losses that exceed many other sectors by a factor of 10.
- Cyber events show harsh economies of scale. A $100B enterprise that experiences a typical cyber event ($292K) should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings ($24K) or more.
- Based on these frequency and loss estimations, we assess that there’s a 6% chance that a Fortune 1000 firm will lose $100M or more in a 12-month period due to cyber events. These are the type of probabilistic risk statements we’re aiming to support in this study.
What will you see in the Xtreme?
We analyze organizational risk factors across multiple dimensions, including Fortune 1000 rankings, industry sector, and annual revenue. This preview features two example charts comparing the F1000 to SMBs, but the full report includes similar charts (and even more detailed tables) for many other segments of interest.
The chart below compares the annual probability of the Fortune 1000 and SMBs (revenues below $100M) having one or more breaches. Approximately 1 in 4 F1000 firms will report at least one cyber loss event in a given year and there’s a 3% chance they could suffer 10 or more. Only 1 in 1000 SMBs are likely to experience a breach and only 1 in 100K of them will stretch that number to 10 in any single year (but there are A LOT of SMBs out there).
This next chart assesses the financial impact of cyber events to the F1000 and SMBs. Each dot represents losses associated with a real historical incident in our dataset. The gray bars mark the expected cost of a “typical” breach and the red bars denote financial damages from extreme events (95th percentile). Losses from extreme events are 100-fold larger than typical events for both groups of organizations. It may seem like the F1000 have it rough with 10X higher losses, but revenue-wise, breaches cause more harm to SMBs.
Would you like to see more?
We hope so! Both the IRIS 20/20 and the IRIS 20/20 Xtreme full reports are available for download now, with no registration required. Engage with us on Twitter (@cyentiainst and #iris2020) or send us your thoughts directly via email below. We will continue the IRIS research series in the future to discover even more insights for managing information risk. If you’d like to join in that effort by contributing relevant data or sponsoring a study, please reach out to us!
The Cyentia Institute is a research & data science firm with a mission to advance knowledge in the cybersecurity industry. We accomplish this by partnering with vendors and other organizations to publish a range of high-quality, data-driven content.