How Much Do Cybersecurity Breaches Really Cost and Why Does It Matter?
The Fletcher School, Tufts University
The Issue:
Firms making decisions about how much to spend on securing their computer systems and data often struggle with figuring out how much a cybersecurity breach will cost them and what the most cost-effective ways of protecting against such breaches are. In the absence of clear guidelines about how to secure their systems, a growing number of firms are purchasing cyber-insurance policies that offer coverage for a variety of different types of cybersecurity incidents, from data breaches to ransomware. However, this coverage can create moral hazard problems in which companies do not have sufficient incentives to protect their networks and their customers’ data from breaches because they are insulated from the eventual costs. The moral hazard problem is compounded by the fact that in many types of cybersecurity incidents, including breaches of personal information and financial fraud schemes, the majority of costs associated with the incident are borne by third parties and individual victims rather than the breached organization itself. How do we incentivize companies to invest in cybersecurity measures when there is such unclear and oftentimes conflicting data on how much breaches would cost them and how those breaches can best be prevented?
Uncertainty regarding the costs of breaches and the existence of cyber-insurance can lead organizations to underinvest in cybersecurity defenses.
The Facts:
- Cybersecurity incidents and data breaches impose multiple different types of costs on affected organizations and individuals. These include the costs associated with investigating the incident, restoring business services, notifying affected individuals, offering credit monitoring services, and hiring public relations firms and media services to communicate about the incident and do damage control, among others. Organizations also face potential damage to their reputations, brands and relationships with customers. Beyond that, firms may be subject to regulatory fines as well as legal fees and settlement costs resulting from legal suits brought by third parties that suffered damages resulting from the incidents.
- There is very little consensus about how much data breaches and other types of cybersecurity incidents actually cost, making it difficult for firms to subject security controls to any rigorous cost-benefit analysis. For instance, when attackers stole over 40 million credit and debit account numbers and personal information on an estimated 70 million customers from Target in 2013, a Congressional Research Service report identified a very broad range for loss estimates — ranging from $11 million to $4.9 billion. The lack of reliable data about how much these types of incidents cost means that companies and insurers are often unable to make informed decisions about how much to spend on managing and mitigating cyber risks. If they don’t know how much those incidents cost then they don’t know how much to spend preventing them, or how much to charge in premiums for insurance policies that cover them.
- Breached companies often point to reputational damage as one of the most significant components of the costs of high-profile security breaches — but this type of cost is very difficult to measure. One way to assess these reputational costs, for publicly traded companies, is to look at the impact of breaches on their stock prices and sales figures. Several studies have done this, almost all of which have concluded that data breaches have only a relatively small and short-lived effect on the value of a company’s shares.
- Many of the costs associated with cybersecurity incidents accrue to third parties, including individuals, banks, payment networks, and other firms, who are not directly responsible for the security breach but still suffer the consequences when their data is stolen or they are forced to cover fraudulent charges that arise from stolen data. For instance, the 2013 Target breach was initiated using network login credentials stolen from the retailer’s HVAC contractor, Fazio Mechanical Services. This means that the parties responsible for a breach are often not the same ones who bear the costs for its clean-up and consequences. This can contribute to under-investment in cybersecurity by firms who feel they have little to lose from having an inadequate security posture. Sometimes, civil lawsuits enable firms to recoup some of their losses from the responsible parties, but these suits are often lengthy and expensive ordeals, which many firms are not willing to take on.
- For companies that purchase cyber-insurance to help cover the costs of data breaches and other security incidents, those policies can serve a similar role in making them feel protected from the consequences and costs associated with those incidents. Insurers are still uncertain what cybersecurity precautions and controls should be required of their customers and many of their efforts to audit potential customers rely heavily on questionnaires rather than any assessment of a firm’s technical protections. This lack of clarity about what baseline level of protections should be required of insured firms contributes to the moral hazard problem by making it harder for insurers to be sure that their customers are doing their due diligence when it comes to security.
- Firms and local governments relying on their insurers to pay ransom demands has contributed to the profitability and continued proliferation of ransomware, benefiting criminals while doing little to bolster cybersecurity protections. By creating perverse incentives for cities and companies attacked by ransomware to have their insurers pay out ransom demands, cyber-insurance can actually contribute directly to funding cybercrime organizations and preventing organizations from investing in the harder and more expensive work of strengthening their cybersecurity defenses.
What this Means:
To address moral hazard problems associated with cybersecurity spending, we first need to do a better job collecting consistent data about how much cybersecurity incidents actually cost, who those costs accrue to, and what controls are most effective in reducing those costs. The growing cyber-insurance market also plays a significant role in creating incentives for firms to invest in cybersecurity controls and, as it grows, that market may require more oversight and regulation. In the meantime, firms deciding to moderate their cybersecurity spending because they do not fear significant losses from breaches may, in fact, be making very rational decisions based on how insulated they may be from the direct costs of those breaches.