The Council of Economic Advisers estimated in a report released Feb. 16 that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016, representing between 0.31% and 0.58% of that year's total gross domestic product.
The council, an agency within the executive office of the president charged with offering the White House objective economic advice, found that while cyber incidents were seen across nearly all sectors of the economy, some industries were more often targeted than others, particularly finance, healthcare and government.
Citing data from Verizon Communications Inc., the report found the finance sector, both public and private, saw the most security breaches in 2016 with 471, followed by healthcare and government, which saw 296 and 239 breaches, respectively. A breach is defined as "an incident that results in the confirmed disclosure — not just the potential exposure — of data to unauthorized authority."
Across sectors, however, the council said the field of cybersecurity is plagued by insufficient data. The group noted that although companies face a strong disincentive to report negative news given the toll these breaches can take on stock price and public perception, cyber protection could be greatly improved if companies more readily shared information.
The council cited a 2014 report from the Center for Strategic and International Studies showing that when Alphabet Inc.'s Google Inc. was hacked in 2010, another 34 Fortune 500 companies were also hacked at the same time. Only one of these companies reported publicly that it had been hacked.
To some degree, the government has tried to address this issue through the Securities and Exchange Commission's 2011 Guidance, which requires publicly traded companies to disclose "materially important adverse cyber events." But companies have been known to interpret "material" events in different ways, and the council said there are also concerns the disclosure requirements are too general and do not provide clear instructions on how much information to disclose.
The council said the lack of data makes it "next to impossible" for policymakers to accurately measure the cost of cybersecurity incidents for the U.S. economy and determine whether more active government involvement is needed. For companies, the lack of data makes it difficult to correctly assess the expected costs of cybersecurity exposure. Moreover, the council believes the paucity of data may be slowing the development of a more competitive market for cyber insurance.