7/25/2019 Cybercrime Costs More Than You Think

1/3

Cybercrime Costs More Than You Think

Hamilton Place Strategieswww.hamiltonplacestrategies.com

202-822-1205

Tucker WarrenJared FavoleScott HaberEmily Hamilton

Findings:

The median cost ocybercrime has in-creased by nearly200 percent in the

last ive years andis likely to continuegrowing

The reputational riskassociated with cy-bercrime extendswell beyond mone-tary damages

Having a plan in placeor how to respond toa cyberattack couldsave millions

In an increasingly intercon-nected world fueled by the

expansion of digital technol-ogy, cybercrime has becomea big business. How big?Cybercrime costs the globaleconomy about $450 billion

each year (Fig. 1), a valuethat exceeds the market cap-italization of such corporatepowerhouses as MicrosoftInc. and Exxon Mobil Corp.,and its nipping at the heelsof Apple Inc. Put anotherway, cybercrime would rankas the worlds 23rd largesteconomy beating out

countries like Austria andIran. And if cybercrime werea U.S. industry,it would bebigger than theentire farm-ing or oil andgas extractionindustries.

In the lastfive years, themedian cost ofa cyberattackhas increasedby nearly 200 percent (Fig.2). And cybercrimes not justgetting bigger, its becomingmore frequent and far reach-ing.

Consider: Since 2005, 828 million

individual records havebeen exposed by databreaches the equivalentof every person in theU.S. having almost three

records stolen.

In 2014 alone, databreaches exposed over85 million records in theUnited States.

Reputations At Risk

While the direct cost ofa cyberattack can be sig-nificant, the reputationaldamage can be even more

impactful to thebottom line. Inthe Target databreach of 2013,which affect-ed millions ofU.S. customers,the company

incurred $252million in databreach-relatedexpenses, withonly $90 million

of that expected to be offsetby insurance recoveries. Inits 2015 10-K filing, the com-pany referred to the databreach asan example of an

I cybercrime werea U.S. industry, itwould be biggerthan the entirearming or oil and

gas extraction in-dustries.

7/25/2019 Cybercrime Costs More Than You Think

2/3

Cybercrime also car-ries with it a "rico-chet effect" wheresimply sharing an in-dustry with a victim

is enough to impactyour business.

2Hamilton Place Strategies

incident that affected ourreputation and negativelyimpacted our sales for a pe-riod of time.

Cybercrime also carries withit a ricochet effect wheresimply sharing an industry

with a victim is enough toimpact your business. Inthe case of Target, its databreach brought other retail-ers into the spotlight, withheadlines like Retail Indus-try Security Hacks May SurgeIn 2014. This ricochet effectshows that even if your com-pany avoids a cyberattack,

you could be harmed if aless-prepared industry playerlets its defenses down.

Business leaders seem tohave taken notice. The WorldEconomic Forums recentreport on Global Risks of 2016found U.S. CEOs are moreconcerned about cyber-relat-ed threats and attacks thanfiscal crises, asset bubbles,and energy prices.

Despite the attention cyber-crime has among peopletasked with protecting thereputations of the largestcompanies in the world,the costs of attacks and the

frequency with which theyoccur are rising. This showsthat a lot more needs to bedone to protect the reputa-

tions of businesses.

Plan For It, CommunicateAbout It

While cyber-crime seemsto be be-coming aninevitability,the ensuingreputation-al damagedoesnt haveto be. Com-panies spend a lot of timeand money to protect theirbusiness and by extensiontheir customers. But whatabout investing in and pre-

paring for how to handle thecommunications response?Its not just about protectingyour company. Your compa-

nys efforts will benefit theindustry too. The less com-panies talk about cybercrime

the more theyllbe feeding intoworst-case-sce-nario thinking.Here are somethings everycompany inevery industryshould do:

Know yourstory:Find out

how likely your businessis to be attacked. Developa list of five things yourcompany does right now toprevent cybercrime and get

Fig. 1: If Cybercrime Had Been A U.S. Company In2014, It Would Have Been The Second-Largest

Source: Bloomberg, cybercrime cost from Allianz Cyber Risk Guide

$370.7$382.9$391.5

$445.0

$647.4

CybercrimeApple ExxonMobil

BerkshireHathaway

Microsoft

Market Capitalization ($, Billions)

U.S. CEOs are moreconcerned about cy-ber-related threatsand attacks thaniscal crises, asset

bubbles, and energyprices.

7/25/2019 Cybercrime Costs More Than You Think

3/3

Fig. 2: The Cost Of A Cyber Attack For U.S.Businesses Has Increased By 192% Since 2005

Source: 2015 Cost Of Cyber Crime Study: United States

Median Cost Of A Cyber Crime For A U.S. Business

$5.9 M

2010 2011

$6.2 M

2012

$9.1 M

2013

$9.7 M

2014

$11.0 M

2015

+192%

$3.8 M

nal dependencies, and whoneeds to know what, whenin the first 24-48 hours insideand outside of the company.

These are just a few stepsthat will help your companycontextualize the threat ofa cyberattack, and how tomitigate its damage. Unfor-tunately, if youre in businesstoday, its nearly a guaran-tee youll be hacked at somepoint over the next coupleof years. You cant control it,but what you can control iswhether youre prepared torespond when it happens. [ ]

3Hamilton Place Strategies

clearance for how to discussthose details externally.

Media train experts:Cy-bercrime is complex andconfusing to the generalpublic. Establishing credi-bility will likely take more

than just a communicator. Atechnological expert, possi-bly even a chief technologyofficer if your company hasone, should be trained wellbefore an attack on how tointeract with the media.

Internal navigation: In a cri-sis, navigating internal com-

munications channels canbe as tricky as external ones.Understand who in yourcompany would need tobe involved in internal andexternal communications inthe aftermath of a cyberat-tack and where the technicalcyber expertise lies withinthe company.

Create a playbook:Developa plan for how your teamand the company will reactto a cyberattack. This canstreamline your companysresponse, ultimately savingtime and money.

Brie the board:Ensure theboard understands that acyberattack is likely to hap-pen in this day and age, andinform them of the planningin place to prevent and re-cover from an attack.

Engage stakeholders:Donewell, proactively commu-nicating with stakeholdersabout your companys cyber-security risk and plans isnt

a risk. Given the realities allindustries are facing withcybercrime, doing so willhelp ensure your company

is ready and prepared. Andafter all, being thought of asready and prepared is whatevery business wants fortheir reputation.

Know the media:Identifykey reporters and createworking relationships inadvance of an attack so youarent introducing yourself tothe reporter who covers yourattack in its aftermath.

War gaming:Lay out a fewof the most likely cyberscenarios that would impactyour business and game outhow you and your colleagueswould respond, what every-ones roles would be, exter-

You cant control it, butwhat you can controlis whether youre pre-pared to respond