top of page

Are Cybersecurity Incidents Getting Worse?

VPN

When evaluating cybersecurity incidents, it's useful to put the damages into context, especially when comparing them to natural disasters. While cyber-attacks and threats are increasing in number, the overall impact of these incidents is evolving.


Historical Context of Cybersecurity Catastrophes


Tom Johansmeyer of the University of Kent, a former senior executive at Verisk, has analyzed cyber catastrophes extensively (see here). He defines a catastrophe as an event that impacts a ''significant number'' of companies, with a total damage threshold of $800 million (adjusted to 2023 for inflation at 3% per year). Surprisingly, it appears catastrophic cybersecurity events are declining with time, according to his analysis. 


Is cybersecurity getting better?


The improvement in cybersecurity can be attributed to advancements in operating systems and technology. For instance, in 2004, sending executable attachments via email was much easier, and users were more likely to open them. In general, malware deployment was a much easier task due to glaring software bugs, allowing internet worms to spread with minimal human intervention. Email worms were particularly devastating, as the productivity hits were much larger than today, adjusted for inflation.


For example, The NotPetya worm in 2017 caused more than $10 billion in damages. However, according to the source above, now largely forgotten email worms like Sobig and Mydoom from 2003 and 2004 respectively, caused much bigger productivity losses and economic damages, amounting to over $75 billion when adjusted for inflation. This indicates that while the frequency of attacks might increase, their severity is not necessarily worsening (see chart here). In fact, more than 90% of total economic losses from cyber catastrophes came before 2009. Take a look at the full article here and an older analysis here.


Comparing Cybersecurity and Natural Disasters


When comparing cybersecurity incidents to natural disasters, things look even less alarming. From 1998 to 2021, Swiss Re, an insurance company, reported aggregate economic losses from natural disasters at approximately $4.3 trillion, nearly 14 times the aggregate economic losses from cyber catastrophes during the same period. This comparison highlights that, although cybersecurity incidents are serious, they are less catastrophic than natural disasters.


Frequency vs. Impact of Cyber Attacks

While individual cyber attacks below the $800 million threshold are becoming more frequent, their aggregate impact remains relatively contained. Ransomware and similar attacks continue to plague organizations worldwide, causing substantial damage. However, two recent metrics suggest that the overall impact may not be as severe as perceived.

 

Since late December 2023, the U.S. Securities and Exchange Commission (SEC) has required publicly traded companies to disclose material cybersecurity risks and incidents. Their goal was to better inform investors and indirectly offer a glimpse into the damages from individual attacks.


So, what's the result so far? It appears that many companies report no material impact even from significant incidents. Of the 14 companies filing the 8-K form, only 3 identified a material impact (including operational disruption and an impact on results of operations), while the remaining 11 stated the incidents did not materially affect operations.


Before the new SEC rule took effect, we already had some indication of the effects of ransomware attacks on operations and the financial bottom line: these reports were converging on costs shaving about 10-20% off yearly net profits. That certainly feels like a material impact. Yet, the new disclosures point in a different direction.

 

Ransomware's Impact on Stock Prices

 

Other suggestive data comes from a Comparitech study that analyzed how ransomware affects stock market share prices. The study is relevant because if ransomware does not impact stock prices, it may imply that the attacks are not material and, hence not significant in terms of damages. The study concludes “On the whole, ransomware attacks don’t appear to have much of an impact on share prices.”. After an initial impact (see example here), the prices generally revert to the underlying market trend.

This suggests that while individual incidents can be significant, they do not typically result in long-term financial damage to companies.

 

What can we expect?


In conclusion (as chatGPT might say), it appears security technology is doing a good job: things are getting much better than 20 years ago. However, the pervasive reliance on digital technology means that risks will continue to accumulate across industries (especially critical infrastructure). Also, the number of smaller events (but still significant at an individual organizational level) is bound to intensify in the future. However, the overall trend indicates that cybersecurity defenses are getting better, not worse.

Latest news

bottom of page