How much can U.S. companies lose from malicious cyber activity?

Hardly a day goes by when a cyber incident doesn't make national news.

A recent example is the troubling attack on an Indiana water treatment facility by Russian hackers. Fortunately, the intrusion did not cause any major disruption to the factory's operations, but it did raise concerns about what was to come.

While disturbing, such attacks are not surprising given that nation-state hackers often target critical infrastructure. Policymakers need to better understand which businesses and sectors of the economy are most at risk and help ensure they are adequately protected.

Fortunately, cyberattacks against critical infrastructure make up a small portion of all malicious cyber activity targeting U.S. businesses. In a recent paper, we compiled a dataset of adverse cyber events experienced by publicly traded companies in the United States. Perhaps due to strict reporting requirements, the most prevalent cyber incidents involve the theft of personal information belonging to customers and employees. The Securities and Exchange Commission requires companies to disclose “major cybersecurity incidents,” but there is ambiguity about what incidents are considered major. Companies are generally reluctant to disclose bad news, resulting in widespread underreporting.

A cyber event, typically a destructive cyber attack that disrupts a company's operations and destroys its equipment. ransomware attack. Freeze a company's data until the ransom is paid. Also, distributed denial-of-service attacks that prevent users from accessing a company's website can be observed by outsiders without formal reporting. However, other highly harmful forms of cyber breaches, such as industrial espionage and cyber-enabled financial theft, are designed to be hidden for as long as possible, even from the victim.

Companies face different cyber risks depending on the nature of their assets and operations. Our analysis shows that companies that hold intangible assets such as personally identifiable information and intellectual property are at greater risk. Additionally, companies that are contractors for defense and other government agencies are targeted by hackers. Specifically, companies working on government contracts may be 142 to 183 percent more likely to experience a cyber incident in the next year. Additionally, companies working on strategically important frontier technologies and critical infrastructure also face significantly higher cyber risks.

All this important information about a company can be easily obtained by hackers from public sources. For example, announcements about a company winning a new defense contract are widely disseminated through company press releases and the Department of Defense. It may be prudent for both governments and contractors to refrain from releasing such information.

Victims of attacks face a wide range of costs, from immediate costs for forensic analysis and security enhancements to long-term losses from reputational damage, reduced competitiveness, higher capital costs, and loss of customers and suppliers. You experience a variety of negative effects. . On average, companies included in the newspaper's sample lose 1.3% of their market value in one month after a cyber incident. There may be concerns that this estimate is overestimated because it comes from a response to a particularly severe cyber incident that became public knowledge. However, research shows that companies tend to withhold information about more damaging incidents while disclosing less severe incidents.

Importantly, the economic losses from malicious cyber activity spill over to companies that use similar technology or have economic ties to the affected companies. The cumulative losses resulting from these spillover effects are estimated to be 3.8 times higher than the losses suffered by directly affected companies.

So how much can U.S. companies lose as a result of malicious cyber activity?

It is difficult to estimate because many cyber breaches go undetected or unreported. A useful source that provides insight into the prevalence of major cyber incidents is the annual Cybersecurity Breach Survey commissioned by the UK government. The 2024 survey surveyed 2,000 UK businesses, with half reporting some sort of cyber incident in the last year. 13% of these incidents resulted in significant losses, suggesting that 6.5% of businesses suffer a significant cyber incident each year.

Assuming this probability holds true for U.S. companies, we can perform some simple behind-the-scenes calculations to estimate the total loss.

We can start by saying that the total market value of all public companies in the country is $46 trillion, and the value of all private companies is $13.6 trillion, or $17.5 trillion in today's dollars. Furthermore, in a given year he can also assume that 6.5% of companies experience a major cyber incident, resulting in an average loss of 1.3% of the company's market value. Taking into account negative spillover effects, the total loss suffered by public and private enterprises is estimated at almost $264 billion.

Excluding spillovers to private companies, which may be less interconnected, the total loss would be $207 billion. These numbers correspond to his 0.8% to 1% of US GDP in 2023.

Although these estimated losses are large, there is a silver lining as not all losses incurred by businesses are deadweight losses or wealth transfers from businesses to cybercriminals. The increase in malicious cyber activity is driving innovation in the burgeoning field of cybersecurity, which is rapidly becoming an export sector for the U.S. economy. Expanding this area is essential to helping U.S. companies better protect against future threats and ultimately making cybercrime less profitable.

Anna Shelbina is an adjunct senior fellow at the American Enterprise Institute and an associate professor of finance at Brandeis University School of International Business.