As cyber attacks become increasingly common, regulators and legislators have criticized the limited information companies make public about cybercrimes they experience. Experts note, though, that it’s often a challenge for companies to put a dollar value on the damage they’ve suffered.
A U.S. Executive Order on cybersecurity last year described the cyber threat to the nation’s critical infrastructure as “one of the most serious national security challenges.” But David Burg, global and U.S. advisory cybersecurity leader at PwC, noted that despite that characterization, “what we do not see is significant disclosures in public filings. There is this disparity.”
Burg noted that “it’s very hard for companies to quantify the damages,” but added, “It may also be the case that companies do not necessarily want to disclose the full impact of an IT theft.”
Companies have an easier time quantifying the costs of incidents in which credit card numbers or other personal information is stolen, costs that include the expense of any remediation, such as offering credit monitoring to customers, Burg said. “What’s far harder to quantify are situations where you have very sensitive information or intellectual property that is compromised,” he said.
Burg cited the scenario of a company that has stored sensitive documents related to a rights offering electronically in a file that is compromised. If the company is bidding on the offering and fails to win the bid as a result, “what you have is a situation where you would not have the opportunity to take advantage of whatever the rights offering was for, into perpetuity,” he said. “It may be difficult to calculate the value.”
Companies also face challenges when it comes to putting a price tag on a theft of their intellectual property, a situation that could eventually result in a competing product coming to market and eroding their business over time. “Many companies may not be aware they were breached until many years or months after they were breached,” said Burg, pictured at left. “And even in those cases, the company may not be able to figure out what was stolen.”
PwC recommends that companies that have had intellectual property stolen employ the “but-for analysis” used in patent disputes to calculate what the theft cost them, he said. “You take a variety of facts, including lost profit, and use discounted cash flow to value that lost profit.”
Larry Ponemon, founder and chairman of the Ponemon Institute, which produces annual studies of companies’ losses related to data breaches and cyber crimes, says many of the costs companies incur related to cybercrime are “fuzzy.” For example, Ponemon said, a denial-of-service attack that took down a company’s e-commerce platform for half an hour would involve costs including paying for IT employees’ efforts to get the platform up and running, as well as taking into account the customer business the company lost while the platform was down.
If the attacks persist, the company may suffer damage to its brand and its reputation, Ponemon said, developments that are even harder to translate into numbers
When the institute collects the data for its studies, it uses models it built based on a technique called activity-based costing, which Ponemon says is helpful when dealing with fuzzy costs. The process of assessing what data breaches or cyber crimes have cost an organization may involve talking to as many as 20 or 30 people at a single company, he says.
He notes that companies can’t rely on their financial systems when it comes to estimating costs for cybercrimes. “It’s not something that you could have an add-on module to your financial accounting system and get the report on the cost of cyber security or cost of a data breach,” he said. “To my mind, it still has to be done through talking and tackling, the way we do it.”
“We basically know that companies don’t measure these things,” added Ponemon, pictured at right. When the institute presents its results to the senior managers of companies that participate in the studies, “what we find is complete surprise,” he said. “‘How could this have cost so much?’”
He argued that cyber costs are hidden from view in part because they’re not captured in the financial metrics that companies use to measure their success, such as return on investment or total cost of ownership. “There’s not a measure that captures the company’s security posture,” Ponemon said.
In 2011, the Securities and Exchange Commission issued staff guidance telling companies they should disclose in their SEC filings cyber risks and events that could have a material impact on investors’ view of the company. The SEC warned against "generic" disclosures but also said companies' disclosures should provide a roadmap for cyber criminals.
But in April, Sen. Jay Rockefeller (D-W.Va.) wrote to SEC Chairman Mary Jo White that while companies’ reporting had improved since the SEC released its guidance, “the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity policies.” Rockefeller asked White to issue formal guidance at the Commission level on disclosing cybersecurity issues in SEC filings.
John Reed Stark, a managing director at Stroz Friedberg, a digital risk management and investigations firm, said the SEC is likely to deal with the issue by ramping up enforcement of the guidance issued in 2011, rather than issuing additional guidance.
“What they’re probably doing is looking through the current filings, matching them up with reports of breaches, assessing the disclosures and looking for those first few good cases that can demonstrate that they’re listening to Congress and they’re serious about those rules,” said Stark, who headed the SEC’s Office of Internet Enforcement before joining Stroz Friedberg.
Stark added, though, that cyber attacks have become so common, they are becoming less material.
“Everybody’s getting breached. With most companies, it’s not a matter of if, but when, they get a data breach,” he said. “The quantitative materiality of a data breach I do believe is deteriorating.”
For a look at what the biggest U.S. corporations are reporting about cyber events, see Disconnect on Cost of Cyberattacks.