Hamilton Place Strategies

www.hamiltonplacestrategies.com
202-822-1205

Cybercrime Costs More Than You Think

n an increasingly interconConsider:
nected world fueled by the Since 2005, 828 million
individual records have
expansion of digital technol The median cost of
been exposed by data
ogy, cybercrime has become
cybercrime has inbreaches the equivalent
a big business. How big?
creased by nearly
of every person in the
Cybercrime costs the global
200 percent in the
U.S. having almost three
economy about $450 billion
records stolen.
last five years and
each year (Fig. 1), a value
that exceeds the market capis likely to continue
italization of such corporate In 2014 alone, data
growing
breaches exposed over
powerhouses as Microsoft
85 million records in the
Inc. and Exxon Mobil Corp.,
The reputational risk and its nipping at the heels
United States.
associated with cyof Apple Inc. Put another
Reputations At Risk
bercrime extends
way, cybercrime would rank
well beyond moneas the worlds 23rd largest
While the direct cost of
economy beating out
tary damages
a cyberattack can be sigcountries like Austria and
nificant, the reputational
Having a plan in place Iran. And if cybercrime were damage can be even more
a U.S. industry,
for how to respond to
impactful to the
it would be
bottom line. In
a cyberattack could
bigger than the
If cybercrime were
the Target data
save millions
entire farmbreach of 2013,
a U.S. industry, it
ing or oil and
which affectwould be bigger
gas extraction
ed millions of
than the entire
industries.
U.S. customers,

Findings:

Tucker Warren
Jared Favole
Scott Haber
Emily Hamilton

farming or oil and

the company
In the last
gas extraction inincurred $252
five years, the
dustries.
million in data
median cost of
breach-related
a cyberattack
expenses, with
has increased
only $90 million
by nearly 200 percent (Fig.
of that expected to be offset
2). And cybercrimes not just by insurance recoveries. In
getting bigger, its becoming its 2015 10-K filing, the commore frequent and far reach- pany referred to the data
ing.
breach as an example of an

incident that affected our

reputation and negatively
impacted our sales for a period of time.
Cybercrime also carries with
it a ricochet effect where
simply sharing an industry
with a victim is enough to
impact your business. In
the case of Target, its data
breach brought other retailers into the spotlight, with
headlines like Retail Industry Security Hacks May Surge
In 2014. This ricochet effect
shows that even if your company avoids a cyberattack,
you could be harmed if a
less-prepared industry player
lets its defenses down.

Fig. 1: If Cybercrime Had Been A U.S. Company In

2014, It Would Have Been The Second-Largest
Market Capitalization ($, Billions)

$647.4

$445.0

Apple

U.S. CEOs are more

concerned about cyber-related threats
and attacks than
fiscal crises, asset
bubbles, and energy
prices.

Business leaders seem to

have taken notice. The World
Economic Forums recent
report on Global Risks of 2016
found U.S. CEOs are more
concerned about cyber-related threats and attacks than
fiscal crises, asset bubbles,
and energy prices.
Despite the attention cybercrime has among people
tasked with protecting the
reputations of the largest
companies in the world,
the costs of attacks and the

Cybercrime

$391.5

$382.9

$370.7

Exxon
Mobil

Microsoft

Berkshire
Hathaway

Source: Bloomberg, cybercrime cost from Allianz Cyber Risk Guide

frequency with which they

occur are rising. This shows
that a lot more needs to be
done to protect the reputations of businesses.

paring for how to handle the

communications response?
Its not just about protecting
your company. Your companys efforts will benefit the
industry too. The less comPlan For It, Communicate
panies talk about cybercrime,
About It
the more theyll
be feeding into
Cybercrime
also
carWhile cyberworst-case-scecrime seems
nario thinking.
ries with it a "ricoto be beHere are some
chet effect" where
coming an
simply sharing an in- things every
inevitability,
company in
dustry
with
a
victim
the ensuing
every industry
is enough to impact
reputationshould do:
your
business.
al damage
doesnt have
Know your
to be. Comstory: Find out
panies spend a lot of time
how likely your business
and money to protect their
is to be attacked. Develop
business and by extension
a list of five things your
their customers. But what
company does right now to
about investing in and preprevent cybercrime and get
Hamilton Place Strategies 2

clearance for how to discuss

those details externally.
Media train experts: Cybercrime is complex and
confusing to the general
public. Establishing credibility will likely take more
than just a communicator. A
technological expert, possibly even a chief technology
officer if your company has
one, should be trained well
before an attack on how to
interact with the media.
Internal navigation: In a crisis, navigating internal communications channels can
be as tricky as external ones.
Understand who in your
company would need to
be involved in internal and
external communications in
the aftermath of a cyberattack and where the technical
cyber expertise lies within
the company.
Create a playbook: Develop
a plan for how your team
and the company will react
to a cyberattack. This can
streamline your companys
response, ultimately saving
time and money.
Brief the board: Ensure the
board understands that a
cyberattack is likely to happen in this day and age, and
inform them of the planning
in place to prevent and recover from an attack.
Engage stakeholders: Done
well, proactively communicating with stakeholders
about your companys cybersecurity risk and plans isnt

Fig. 2: The Cost Of A Cyber Attack For U.S.

Businesses Has Increased By 192% Since 2005
Median Cost Of A Cyber Crime For A U.S. Business
+192%

$11.0 M
$9.1 M

$5.9 M

$6.2 M

2011

2012

$9.7 M

$3.8 M

2010

2013

2014

2015

Source: 2015 Cost Of Cyber Crime Study: United States

a risk. Given the realities all

industries are facing with
cybercrime, doing so will
help ensure your company
is ready and prepared. And
after all, being thought of as
ready and prepared is what
every business wants for
their reputation.
Know the media: Identify
key reporters and create
working relationships in
advance of an attack so you
arent introducing yourself to
the reporter who covers your
attack in its aftermath.

nal dependencies, and who

needs to know what, when
in the first 24-48 hours inside
and outside of the company.

You cant control it, but

what you can control
is whether youre prepared to respond

These are just a few steps

that will help your company
contextualize the threat of
a cyberattack, and how to
mitigate its damage. Unfortunately, if youre in business
War gaming: Lay out a few
today, its nearly a guaranof the most likely cyber
tee youll be hacked at some
scenarios that would impact point over the next couple
your business and game out of years. You cant control it,
how you and your colleagues but what you can control is
would respond, what everywhether youre prepared to
ones roles would be, exterrespond when it happens. [ ]
Hamilton Place Strategies 3