Over 60% of the Fortune 1000 had at least one public breach over the last decade, according to a Cyentia Institute research. On an annual basis, it is estimated one in four Fortune 1000 firms will suffer a cyber loss event. That ratio approaches 50% for the Fortune 250.
Annual percentage of Fortune 1000 firms with known breaches
Moving beyond mega-corporations, the probability of cyber incidents drop substantially. SMBs have breach rates below 2% and are orders of magnitude less likely to suffer 10 or more in a year.
Estimating breach losses
The likelihood of breaches also varies by industry. Government agencies, information services, financial firms, and educational institutions have the highest rates. Construction, agriculture, and mining occupy the lower end of the frequency spectrum.
The traditional method of estimating breach losses—using a flat cost per record—is flat-out harmful. It results in $1.7 trillion of error due to overestimating losses compared to actual recorded values. We demonstrate a better method for more accurate cyber risk assessments.
We can use the number of exposed records to estimate breach losses, but it’s probabilistic rather than deterministic. An exposure of 1,000 records has a 6% chance of exceeding $10M. By comparison, a massive breach of 100M records has a better than 50% chance of racking up at least $10M in losses.
The financial impact
Financial losses following a cyber event typically run about $200K, but 10% of breaches exceed $20M. The cost of extreme events (95th percentile) to the mega corporations in the Fortune 250 approaches $100M (or more).
Typical and extreme losses differ substantially among industries. The information services and retail sectors show abnormally high losses that exceed many other sectors by a factor of 10.
Cyber events show harsh economies of scale. A $100B enterprise that experiences a typical cyber event ($292K) should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings ($24K) or more.