View this article online: https://www.claimsjournal.com/news/national/2020/03/23/296136.htm
For the the top 250 U.S. firms in terms of revenue, the chance of a data breach in any given year is about the same as the chance a coin will turn up heads when flipped, according to an analysis by the Cyentia Institute.
While frequent, typical cyber losses typically cost only 0.00003% of annual revenues for large companies with revenues of $100 billion or more, Cyentia said.
For small and mid-sized companies, the chance of a breach is only 2% in a year. But small companies — those that bring in less than $100,000 per year — will likely lose 25% of annual earnings in a data breach.
Cyentia’s Information Risk Insights Study uses data from Advisen, an insurance industry analytics firm, to give risk managers a tool to gauge the chances of a cyberattack and the potential losses as a result. Advisen gleans its dataset from public records such as court documents and Securities and Exchange Commission filings.
Cyentia analyzed data from 56,000 known cyber events,1,900 of which resulted in losses, and compared that to Advisen’s data on the number of firms in the U.S. economy.
“This does not address the question of ‘what should we do?’, but it does help with deciding what we are risking and how much risk does that represent,” said Wade Baker, a Virginia Tech business professor and Cyentia’s co-founder.
Perhaps the most surprising revelation was how frequently large U.S. corporations experience a cyber loss. Cyentia determined that 60% of the Fortune 1000 (the top 1,000 U.S. firms by revenue as ranked by Fortune Magazine) had at least one cyber incident in the last decade.
The bigger the firm, the higher the risk of a breach. Cyentia determined that one out of four Fortune 1000 firms will suffer a loss event in any given year. But for firms in the top 250, the chances of a breach were slightly less than one in two.
The top 250 firms are nearly five times more likely to have a breach than the bottom 250, Cyentia said. For firms closer to the bottom of the Fortune 1000 list, the chance of 10 or more breaches was about one in 100 in a year.
The likelihood of a cyber event was radically different for smaller companies. Firms with less than $1 billion in revenue had a 2% chance of experiencing a breach in a given ear. That likelihood increased to 9.6% for firms with revenue of $1 billion to $10 billion, to 22.6% for firms with $10 billion to $100 billion in revenue and to just over 75% for firms with more than $100 billion revenue.
“As your organization grows, you become a more attractive target because people think of you more,” said David F. Severski, a data scientist with Cyentia. “It’s like you have a ‘kick me’ sign on you.”
Cyentia’s analysis of losses from data breaches was more complicated. The institute said the average loss across industries of all sizes was $19 million, but that figure is misleading because 90% of breaches cost less than that. Losses around $200,000 were more typical and that is the approximate median loss — meaning half of the losses were less and half more.
Large losses of more than $10 million, however, were not uncommon. In fact, Cyentia’s charts — which show cyber losses as dots on a scale marked by the dollar amount — showed three losses of more than $1 billion.
“Next time you’re asked what a breach will likely cost, ‘A couple hundred thousand dollars’ is a simple and sound answer backed by lots of evidence,” the report said. “It’s also totally appropriate to add, ‘But there’s a 10% chance it could be 100x higher than that (or more),’ to cover your assumption.”