Hardly a day goes by when a cyber incident doesn’t make national news.
Recent examples are troubling Attack on Indiana water treatment facility By Russian hackers. Fortunately, this intrusion did not cause any major disruption to factory operations; concerns about what will happen next.
Although disturbing, such attacks are not surprising, considering: Nation-state-linked hackers often target critical infrastructure. Policymakers need to better understand which businesses and sectors of the economy are most at risk and help ensure they are adequately protected.
Fortunately, cyberattacks against critical infrastructure make up a small portion of all malicious cyber activity targeting U.S. businesses.in recent papershas compiled a dataset of adverse cyber events experienced by publicly traded companies in the United States. Perhaps due to strict reporting requirements, the most prevalent cyber incidents involve the theft of identity belonging to customers and employees.in spite of The Securities and Exchange Commission requires companies to disclose “significant cybersecurity incidents.” There is ambiguity as to which incidents are considered significant. Companies are generally reluctant to disclose bad news, resulting in widespread underreporting.
A cyber event, typically a destructive cyber attack that disrupts a company’s operations and destroys its equipment. ransomware attack. Freeze a company’s data until the ransom is paid. Also, distributed denial-of-service attacks that prevent users from accessing a company’s website can be observed by outsiders without formal reporting. However, other highly harmful forms of cyber breaches, such as industrial espionage and cyber-enabled financial theft, are designed to be hidden for as long as possible, even from the victim.
Companies face different cyber risks depending on the nature of their assets and operations. Our analysis shows that companies that hold intangible assets such as personally identifiable information and intellectual property are at greater risk. Additionally, companies that are contractors for defense and other government agencies are targeted by hackers. Specifically, companies working on government contracts face challenges such as: 142% to 183% Cyber incidents are likely to occur next year.Furthermore, strategically important frontier technologies and critical infrastructure They also face very high cyber risks.
All this important information about a company can be easily obtained by hackers from public sources. For example, announcements about new defense contracts awarded by a company are widely disseminated through company press releases and government agencies. Department of Defense. It may be prudent for both governments and contractors to refrain from releasing such information.
Victims of attacks face a wide range of costs, from immediate costs for forensic analysis and security enhancements to long-term losses from reputational damage, reduced competitiveness, higher capital costs, and loss of customers and suppliers. You experience a variety of negative effects. . On average, companies included in the newspaper’s sample lose 1.3% of their market value in one month after a cyber incident. There may be concerns that this estimate is overestimated because it comes from a response to a particularly severe cyber incident that became public knowledge. but, research suggests Companies tend to withhold information about more damaging incidents, while disclosing information about less severe incidents.
Importantly, the economic losses from malicious cyber activity spill over to companies that use similar technology or have economic ties to the affected companies. The cumulative losses resulting from these spillover effects are estimated to be 3.8 times higher than the losses suffered by directly affected companies.
So how much can U.S. companies lose as a result of malicious cyber activity?
It is difficult to estimate because many cyber breaches go undetected or unreported. A useful source that provides insight into the prevalence of major cyber incidents is the annual Cybersecurity Breach Survey commissioned by the UK government.of 2024 survey 2,000 UK businesses were targeted, with half reporting some kind of cyber incident in the last year. 13% of these incidents resulted in significant losses, suggesting that 6.5% of businesses suffer a significant cyber incident each year.
Assuming this probability holds true for U.S. companies, we can perform some simple behind-the-scenes calculations to estimate the total loss.
You can start with the sum of the market values of all publicly traded companies in the country. 46 trillion dollarsthe value of all private companies is $13.6 trillion, equivalent to $17.5 trillion in today’s dollars. Furthermore, in a given year he can also assume that 6.5% of companies experience a major cyber incident, resulting in an average loss of 1.3% of the company’s market value. Taking into account negative spillover effects, the total loss suffered by public and private enterprises is estimated at almost $264 billion.
Excluding spillovers to private companies, which may be less interconnected, the total loss would be $207 billion. These numbers correspond to his 0.8% to 1% of US GDP in 2023.
Although these estimated losses are large, there is a silver lining as not all losses incurred by businesses are deadweight losses or wealth transfers from businesses to cybercriminals. The rise in malicious cyber activity is accelerating innovation in the fast-growing field of cybersecurity. It is becoming an export sector of the US economy. Expanding this area is essential to helping U.S. companies better protect against future threats and ultimately making cybercrime less profitable.
Anna Shelbina is an adjunct senior fellow at the American Enterprise Institute and an associate professor of finance at Brandeis University School of International Business.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
