trending Market Intelligence /marketintelligence/en/news-insights/trending/MX3JiIG4M6uF1nmtKy3S2w2 content esgSubNav
In This List

Cybercrime: The new normal


Insight Weekly: Layoffs swell; energy efficiency PE deals defy downturn; 2023 global risk themes


Spotlight on sustainability: How banks can overcome the challenges of achieving net-zero emissions by 2050


MediaTalk | Episode 30: US retailers prep for weaker online sales, holiday spending demand


Insight Weekly: Energy crisis cripples Europe; i-bank incomes rise; US holiday sales outlook

Cybercrime: The new normal

Opinions expressed in this piece are solely those of the author and do not represent the views of S&P Global Market Intelligence.

Hacking is world-class problem. "Data fraud/theft" has made the list of Top Ten Global Risks ranked annually by the World Economic Forum for four consecutive years and is ranked 5th for likelihood in the latest 2017 Report, just ahead of "Cyberattacks" at No. 6.

How big is cybercrime’s economic impact? Nobody seems to know for sure given its relatively recent evolution, dynamic growth profile and expansive footprint. I have seen estimates by industry research firm Cybersecurity Ventures of $3 trillion in 2015, heading to $6 trillion by 2021.

Cybersecurity insurer Hiscox, meanwhile, pegs cybercrime costs in 2016 at more than $450 billion in aggregate for the U.S., U.K. and Germany. The insurer notes that 72% of large U.S. firms were attacked in 2016 and claims that 53% of all businesses in the U.S., U.K. and Germany were ill-prepared in 2016 — and may still be — for a growing array of cyber threats. Hiscox also estimates that over two billion personal records were stolen in the three countries.

Two common traits in many of the data thefts are time lapses to (i) discover that security has been compromised and (ii) report the breaches to the public.

Here’s a selected list of high-profile data breaches in the U.S. during the past six years that I compiled, sorted by the time it took the breached companies to report the attacks.

SNL Image

Compounding the reporting problem is that more than half of the list had to update the impact and gravity of their attacks months, even years, after their initial disclosures.

Yahoo, now owned by Verizon Communications Inc., ranked the worst when evaluating both the time it took to initially report a breach and also for playing catch-up on reporting the severity of the attack. What was initially reported in December 2016 as a 2013 hack that impacted 1 billion Yahoo accounts now turns out to be 3 billion accounts, according to an Oct. 3 disclosure.

Credit reporting firm Equifax Inc., however, takes the prize for infuriating data owners whose credit histories were collected and stored. It took 39 days for Equifax management to report that 143 million data files with sensitive personal information had been stolen, during which time some company executives sold Equifax stock. Management says that those insiders who sold shares did not know of the breach, but various regulatory agencies and congressional committees are investigating — as well they should.

Perhaps the U.S. will follow the lead of the European Union, which has new rules effective in May 2018 requiring companies to report data theft or breaches to regulators and to those impacted. Other suggestions I have come across include appointing a Data Czar with broad powers to enforce how data is curated, shared and protected.

One suggestion for helping to manage cybersecurity risk is to create a derivatives market that trades insurance risk, similar to the way credit default swaps are used as hedges in debt capital markets. I suspect the cybersecurity insurance dollar volume would have to grow exponentially in order to support such a plan. The other problem could be the imbalance of supply and demand. Data breaches are said to be the leading cause of cyber insurance loss according to a recent study by risk assessment firm Beazely.

Did I mention that October is National Cybersecurity Awareness Month? It is supposed to be a time in which "we reflect on our nation's increasing reliance on technology and the internet and raise awareness about the importance of cybersecurity."

Hopefully, we do a bit more than that. America needs a cohesive and achievable strategy plus a set of regulatory and business policies to prevent, detect, report and manage the risk of cybercrime. It is going to be a challenge considering that the hackers are clearly way ahead of whatever we think we are doing to stay out of harm's way.

In celebration of National Cybersecurity Awareness Month, the U.S. Internal Revenue Service has awarded Equifax a $7.25 million no-bid contract to verify taxpayer identities to help prevent fraud. I'm not kidding. The story comes from Politico.

I'm guessing that since Equifax and the IRS are about equally beloved in Congress, a hearing or two may be near — perhaps a rare bipartisan moment.