CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Ponemon Institute Reports 56% Increase in Cost of Cyber Crime

Posted in Cyber Breach, Cyber Costs, Insurance

The costs associated with cyber crime have increased significantly over the past year according to the Second Annual Cost of Cyber Crime Study the Ponemon Institute released earlier this month. 

The total annualized cyber crime cost for those organizations that participated in the study ranged from $1.5 million to $36.5 million, with a median cost of $5.9 million, an astounding 56% increase from 2010. 

Of the organizations sampled, those in the defense, utilities & energy and financial services sectors once again had the highest annualized costs ($19.93 million, $19.78 million and $14.70 million, respectively).  Although the hospitality and retail sectors historically have been a prime targets for cyber crime, their costs were significantly lower — $3.31 million and $2.99 million, respectively. 

The study confirms that cyber attacks are now a “given” for businesses.  The organizations sampled collectively experienced 72 discernible and successful cyber attacks each week, or 1.4 attacks per organization per week.  As the saying goes “it’s not a question of ‘if,’ it’s a question of ‘when.'” 

And, although the types of attacks were varied, all of the organizations reported attacks caused by viruses, worms and/or trojans, while 96% experienced malware attacks and 82% experienced botnet attacks.  By contrast, only 4% reported denial of service (“DoS”) attacks.  The costs of these types of claims, however, were inverted — DoS attacks cost $187,506, while viruses, malware and botnets cost $1,517, $1,579 and $1,727, respectively.

Not surprisingly, the time required to resovlve the attacks also increased.  In 2010, it took on average 14 days to resolve an attack.  The costs to resolve an attack over that 2 week period were $17,696 per day, or $247,744 for the entire period.  This year, we have seen a 67% increase in those numbers as it now takes an average of 18 days to resolve an attack, resulting in a cost of $22,986 per day, or $413,784 for the period.

The study also indicated that while smaller organizations experience a higher proportion of cyber crime costs arising out of malicious code and malware, larger organizations experience a higher proportion of costs pertaining to malicious insiders, stolen or hijacked devices and DoS attacks.  Smaller companies also incur a significantly higher per capita cost ($1,088) than larger organizations ($284).

According to the study, information loss to an organization accounts for 40% of the total external cyber crime costs, a 2% decrease from last year.  However, the external costs associated with business disruption increased 6% to 28% of the total external costs.  Cyber crime recovery and detection is the largest element of internal costs at 45%; followed by containment and investigation, which each represent 16% of the internal activity costs.

According to Dr. Larry Ponemon, “as the sophistication and frequency of cyberattacks increases, so too will the economic consequences.”  A review of our In The News section details attacks over the past couple of months against corporate giants such as Sony, Citibank and Apple, as well as government bodies and agencies, including the Brazilian government, German federal police and customs service, U.S. law enforcement agences, NATO and others.  The sophistication and frequency of these attacks are obviously increasing. 

However, Roger Grimes of InfoWorld has commented that law enforcement agencies are begining to make some progress in their efforts to track down and even stop the cyber criminals.  It remains to be seen whether this progress will continue and if so, whether it will impact cyber crime costs going forward.

In the meantime, cyber crime clearly is a reality for businesses, regardless of their size or industry.  And, as shown by the study, this risk presents significant and growing costs for companies — costs that companies will look more and more to their insurers to pick-up.  However, unless a company has cyber liability insurance, many of these costs will likely go uninsured.