As cyber attacks become increasingly common, regulatorsand legislators have criticized the limited information companiesmake public about cybercrimes they experience. Experts note,though, that it's often a challenge for companies to put a dollarvalue on the damage they've suffered.

A U.S. Executive Order on cybersecurity last year described thecyber threat to the nation's critical infrastructure as “one of themost serious national security challenges.” But David Burg, globaland U.S. advisory cybersecurity leader at PwC, noted that despite that characterization, “what we do notsee is significant disclosures in public filings. There is thisdisparity.”

Burg noted that “it's very hard for companies to quantify thedamages,” but added, “It may also be the case that companies do notnecessarily want to disclose the full impact of an IT theft.”

Companies have an easier time quantifying the costs of incidentsin which credit card numbers or other personal information isstolen, costs that include the expense of any remediation, such asoffering credit monitoring to customers, Burg said. “What's farharder to quantify are situations where you have very sensitiveinformation or intellectual property that is compromised,” hesaid.

Burg cited the scenario of a company that has stored sensitivedocuments related to a rights offering electronically in a filethat is compromised. If the company is bidding on the offering andfails to win the bid as a result, “what you have is a situationwhere you would not have the opportunity to take advantage ofwhatever the rights offering was for, into perpetuity,” he said.“It may be difficult to calculate the value.”

Companies also face challenges when itcomes to putting a price tag on a theft of their intellectualproperty, a situation that could eventually result in a competingproduct coming to market and eroding their business over time.“Many companies may not be aware they were breached until manyyears or months after they were breached,” said Burg, pictured atleft. “And even in those cases, the company may not be able tofigure out what was stolen.”

PwC recommends that companies that have had intellectualproperty stolen employ the “but-for analysis” used in patentdisputes to calculate what the theft cost them, he said. “You takea variety of facts, including lost profit, and use discounted cashflow to value that lost profit.”

Larry Ponemon, founder and chairman of the Ponemon Institute, which producesannual studies of companies' losses related to data breaches and cybercrimes, says many of the costs companies incur related tocybercrime are “fuzzy.” For example, Ponemon said, adenial-of-service attack that took down a company's e-commerceplatform for half an hour would involve costs including paying forIT employees' efforts to get the platform up and running, as wellas taking into account the customer business the company lost whilethe platform was down.

If the attacks persist, the company may suffer damage to itsbrand and its reputation, Ponemon said, developments that are evenharder to translate into numbers

When the institutecollects the data for its studies, it uses models it built based ona technique called activity-based costing, which Ponemon says ishelpful when dealing with fuzzy costs. The process of assessingwhat data breaches or cyber crimes have cost an organization mayinvolve talking to as many as 20 or 30 people at a single company,he says.

He notes that companies can't rely on their financial systemswhen it comes to estimating costs for cybercrimes. “It's notsomething that you could have an add-on module to your financialaccounting system and get the report on the cost of cyber securityor cost of a data breach,” he said. “To my mind, it still has to bedone through talking and tackling, the way we do it.”

“We basically know that companies don't measure these things,”added Ponemon, pictured at right. When the institute presents itsresults to the senior managers of companies that participate in thestudies, “what we find is complete surprise,” he said. “'How couldthis have cost so much?'”

He argued that cyber costs are hidden from view in part becausethey're not captured in the financial metrics that companies use tomeasure their success, such as return on investment or total costof ownership. “There's not a measure that captures the company'ssecurity posture,” Ponemon said.

In 2011, the Securities and Exchange Commission issued staff guidance telling companies they should disclose in theirSEC filings cyber risks and events that could have a materialimpact on investors' view of the company. The SEC warned against“generic” disclosures but also said companies' disclosures shouldprovide a roadmap for cyber criminals.

But in April, Sen. Jay Rockefeller (D-W.Va.) wrote to SECChairman Mary Jo White that while companies' reporting had improvedsince the SEC released its guidance, “the disclosures are generallystill insufficient for investors to discern the true costs andbenefits of companies' cybersecurity policies.” Rockefeller askedWhite to issue formal guidance at the Commission level ondisclosing cybersecurity issues in SEC filings.

John Reed Stark, a managing director at Stroz Friedberg, a digitalrisk management and investigations firm, said the SEC is likely todeal with the issue by ramping up enforcement of the guidanceissued in 2011, rather than issuing additional guidance.

“What they're probably doing is looking through the currentfilings, matching them up with reports of breaches, assessing thedisclosures and looking for those first few good cases that candemonstrate that they're listening to Congress and they're seriousabout those rules,” said Stark, who headed the SEC's Office ofInternet Enforcement before joining Stroz Friedberg.

Stark added, though, that cyber attacks have become so common,they are becoming less material.

“Everybody's getting breached. With most companies, it's not amatter of if, but when, they get a data breach,” he said. “Thequantitative materiality of a data breach I do believe isdeteriorating.”

For a look at what the biggest U.S. corporations arereporting about cyber events, see Disconnect on Cost of Cyberattacks.