For most people, when the phrase “data breach” is thrown into the conversation, the first thought that usually comes up is — “just don’t let it happen to me”. Nobody wants to be notified by some company that their private data has been exposed by hackers and could be manipulated in a variety of attacks such as bank account fraud or identity theft.
It’s no picnic for the company doing the notifying either. They have to handle a myriad of potential loss scenarios, whilst dealing with investigating and containing the leak.
So, I think we can agree that data breaches are bad — but can we say more?
Can we say how bad?
Can we put a dollar value on it?
For those in charge of making decisions regarding the cybersecurity aspects of their company, quantifying the monetary loss due to a data breach event (which we also refer to as “breach impact”), can be invaluable to the decision-making process.
Traditional Breach Impact
The “state of the art” for breach impact modelling is implemented mainly by insurers. Companies that sell cybersecurity insurance maintain their internal actuary models for estimating the insurance premiums and payouts for breached companies.
The main components of loss these insurers define are:
- Breach event containment costs
- Regulatory fines and class-action lawsuits
Containment costs apply to expenses like hiring a breach coach and establishing a call centre which are almost always estimated according to the organizations size and network complexity.
Many insurers predict the fines and lawsuits component based on a singular value: The number and type of personal private records expected to be leaked. They usually derive this information from the industry and number of (direct) customers the organization have.
An important caveat of the number-of-records based approach is that a company may be linked, and even held responsible, for leaks linked to their products: For instance, an organization selling invoice management systems to retailers, could be held accountable, and even sued, due to private data of these retailers customers’ being leaked through the invoice system. The sort of “vendor impact” is often neglected by companies and insurers, who do not plan for this broad scope of loss.
Although being the de-facto standard in breach impact estimation, cybersecurity insurers are far from being comprehensive and accurate:
- They lack the required intimate knowledge of the cybersecurity maturity level of the organization, its attack surface, vulnerabilities, targeting information etc. to correctly assess the likelihood of a breach event actually happening
- They may miss significant parts of the loss, like the rising cost of ransom payouts, which is also linked to cryptocurrency conversion rate
- They only ensure the explicit parts of the loss — those related to containing the breach event and compensating victims. Other company losses are very conservatively estimated, if any.
Ultimately, the bottom line is that — relying on insurance companies for predicting the full scope of the loss can be unreliable. The insurers are not really motivated to provide a comprehensive view of data breach loss. They limit themselves and the premiums they sell, to tangible and provable expenses in well-defined categories. This may be satisfactory for ensuring the breach event itself, but lacking in the perspective of decision-makers, or investors, interested in the long term losses such an event may entail.
The Hidden Loss
Turns out that the losses you can get insured for is in many cases, just the tip of the iceberg.
Quantifying organizational losses beyond the immediate costs of containing the event and paying penalties and settlements requires identifying hidden loss components. These components relate to the revenue and productivity of the organization, and how these may be affected by a breach event.
Intellectual Property (IP)
Data leaks aren’t always about leaking private user records. An increasing number of hackers are now targeting the intellectual property of the organization as another means of monetary gain and extortion. IP records can range from source code files to sensitive documents and even unreleased content in case of media organizations like Netflix, Sony, etc. The Ponemon Institute has published several studies, identifying lost IP as a potentially major factor of loss. According to the studies, companies are putting more emphasis on intangible assets (i.e., IP) as a major stream of revenue. Losing these assets can lead to major losses in the long term e.g., when leaked IP results in the loss of a competitive edge due to trade secrets, code and algorithm etc. being exposed.
Another major loss factor which is not accounted for in a traditional breach impact estimation is reputation and brand damage. Many companies, e.g., Equifax, who experienced breach events, subsequently suffered unprecedented losses.
The first and most easily quantifiable loss is in stock value. A reduced stock value translates to direct losses for investors and damages the organizations’ ability to raise capital through its stock. The stock performance is many times also an indication of lost revenue.
Customer churn can also lead to substantial losses. The Ponemon institute reported an average 3.4 abnormal churn rate for companies that suffered data breaches in 2018, rising from 3.2 in 2017. It’s important to note that the reported churn greatly varies depending on country and sector. Some countries, like France or Japan can expect much higher churn rates (up to x2 the churn of other countries). The industry where the organization operates is also key for predicting churn rates. Some industries, like energy, utilities, or public (government) will experience much lower churn rates than companies operating in the cybersecurity industry. These are only part of the factors that weigh into brand damage estimation.
An important caveat of brand damage estimation is that companies mustn’t always suffer stock loss and increased customer churn. The security posture of the organization, and mainly how it is perceived by its customers and investors is a major component in the outcome of a breach event, and specifically the effect on the company’s brand.
Business Continuity & Productivity Loss
When a company suffers a breach event, systems go down. Either directly by the actions of the hackers or by the company itself, trying to contain the event. Systems being down means that the company can’t generate any revenue from its online systems and that many employees are left idle for the duration of the event.
The canonical formula, therefore, for estimating revenue and productivity losses is:
Loss = (Lost Revenue per Hour + Lost Productivity per Hour) * Downtime Duration
The equation may seem simple, however estimating each of its components is a formidable task. Revenue and productivity per hour can vary greatly depending on the organization in question, as the revenue and productivity dependency on systems uptime is different for each organization. In our model, we predict these factors based on data aggregated by industry and country, and of course allow for the organization itself to provide these terms.
Downtime duration for a breached company depends on the type of company and mainly the level of skill of the employees tasked with containing the breach and getting systems back up as well as the tools and policies put in place to mitigate such an event. Of the three terms of the loss formula, this part would be the hardest for the company to estimate by itself. It requires knowledge and experience of skilled Cybersecurity IT and IR (Incident Response) personnel.
The Decisive Factor: Exposure
Breach Impact estimation is a powerful tool for decision making. It allows an organization to evaluate risk and budget cybersecurity spending correctly. However, it provides only part of the picture. To truly assess risk, the organization needs to evaluate likelihood of breach.
When asked, I always suggest the car metaphor: Losing a brand new $400,000 Ferrari 599 GTO, would cost you… $400,000 — but that’s not the risk. Risk also depends on the road conditions in your city and how well you drive, i.e., the probability of an accident.
The same is applied for data breaches. The exposure of an organization depends on its cybersecurity standing and the likelihood of it being hacked, as well as its breach impact, and specifically:
So, estimating impact is great, but it’s not enough.
Sources and Methodology
CYE’s Breach Impact model is based on data collected internally by CYE’s security researchers and incident response specialists and reflects years of experience and intimate knowledge of the cybersecurity landscape and breach events. This data is coupled with breach statistics collected over years from hundreds of breach events in companies, spanning various industries and countries, supplemented by public sources and studies.
Dr. Nimrod Partush — Combining years of AI research experience with deep knowledge of the cybersecurity domain, Dr. Partush leads the Data Science Department at CYE. His background includes both practical hands-on experience gained from serving in an elite IDF cybersecurity unit and academic experience amassed through his Ph.D. in Computer Science at the Technion.