One of the big questions that bedevil corporate executives is how much a cyber “incident” might cost the company. Indeed: the “cost of breach” as it is often termed is the subject of determined study by folks like The Ponemon Institute (and sponsors like IBM), as well as Verizon, consultancies like Kroll, and so on.
The question isn’t academic. Knowing how much a cyber incident will cost your company helps executives, board members and staff “price” risk and justify expenditures on security software and services.
But the surprisingly simple question of how much malicious cyber activity costs belies a surprisingly complex puzzle. Incidents like a denial of service attack might be easy to price: just figure out how much money you make from being online (if you’re an online retailer like Amazon.com, that’s a big number), then figure out how long the DDoS attack took you offline, add in the cost to get back online, investigate the incident and remediate, and you have it.
With other kinds of attacks – like data theft – the question is a lot more difficult to answer. Few public firms disclose “material” cyber incidents that affect them, even though the law in the U.S. would seem to mandate it. Some of the biggest cost drivers of breaches – like credit monitoring for affected customers and employees – end up costing much less than you would think. And, while corporate boards may be bracing for more cyber regulations that impost costs on breaches and data theft, there’s been little progress on that, at least at the federal level, nor is there likely to be any in an election year.
But there’s no doubt that hacks and other incidents do cost companies considerably and, every so often, the curtains part to give us a glimpse of how significant those costs are. That’s what happened this week in the case of UK telecommunications firm TalkTalk.
As you may recall, TalkTalk was the victim of a cyber attack in the final months of 2014 that resulted in the theft of personal data on 150,000 customers, including names, addresses, phone numbers and TalkTalk account numbers. At the time, the company said that some of that data was used in follow on attacks aimed at extracting bank account and credit card information from victims.
Subsequent reporting suggested that the company was the victim of a distributed denial-of-service (DDoS) attack coupled with a SQL injection attack against application servers containing customer data.
According to a report on Tuesday, however, we now know how much all that malicious activity cost the company: $88 million at current exchange rates.
Where did that figure come from? TalkTalk said that most of the costs were only indirectly linked to the breach. For example, the company lost 101,000 customers in the months following the breach, 95,000 of which it estimates were because of the hack.
It should be noted that those costs are much higher than the $35 million price tag that TalkTalk initially put on the incident, which considered the cost of recovery and additional customer support.
Is this important? It should be: firm data on the cost of hacks is notoriously hard to come by and, absent strong federal legislation in the U.S., many firms that are the victim of cyber incidents find ways to sweep the details of the incident under the rug. It’s also worth noting that the TalkTalk revelation underscores the cost to businesses of cyber incidents that have little to do with recovery from the incident itself: loss of customers, reputation damage, fines and other penalties all add to the (hidden) cost of incidents. In cases where attackers make off with intellectual property or other sensitive data, we can expect the costs to mount even more.