Unexpectedly, the cost of big cyber-attacks is falling

LAST OCTOBER Anne Neuberger, America’s top cyber official, issued a dire warning. Cybercrime would cost the world more than $23trn by 2027, up from $8.4trn in 2022. More recently the IMF noted that cyber-attacks have doubled since the covid-19 pandemic. “The risk of extreme losses from cyber incidents is increasing,” said the fund. These could even pose “an acute threat to macrofinancial stability”. But is the economic impact of cyber-attacks really so large—or rising so fast?

Data collected by Tom Johansmeyer of the University of Kent, a former senior executive at Verisk, an insurance-data firm, suggests that the truth is more complicated. In analysis first published by Binding Hook, a website focusing on cyber issues, Mr Johansmeyer considers the case of NotPetya, a Russian attack on Ukraine in 2017 designed to delete data and which inadvertently spread around the world causing more than $10bn-worth of damage. That sounds bad.

But Mr Johansmeyer’s first point is that this is not especially large by the standard of natural disasters, which can serve as one useful benchmark for comparison. In 2022 Hurricane Ian caused ten times the damage in Florida; Hurricane Katrina caused nearly 20 times as much. The wildfires that raged in California between 2017 and 2021 probably cost more than $117bn annually. NotPetya was a pinprick in comparison. Moreover, it was not even, as America’s government claimed at the time, “the most destructive and costly cyber-attack in history”. At least two other cyber-attacks—the SoBig virus in 2003 and the MyDoom attack a year later—were far larger when adjusted for inflation (see chart).

Most remarkably, the economic impact of major cyber incidents appears to be falling, as our first chart shows. Around 92% of total economic losses from cyber catastrophes came before 2009, notes Mr Johansmeyer, who included incidents that cost more than $800m and had a significant number of victims. His estimates define economic damage broadly but the bulk of losses tends to be caused by loss of productivity, he says. The worst year came over two decades ago: in 2003 total losses were a staggering $110bn. Over the past 15 years, he concludes, real-term losses have “downright plummeted”. He speculates this could be owing to better security.

Although this data stops in 2017, the big attacks that have occurred since then do not appear to buck the trend. A ransomware attack on Change Healthcare, a critical node in the American health-care system, in February has had a devastating impact but will probably come in at under $2bn, reckons Mr Johansmeyer, still a relatively small sum. A separate attack on MOVEit, a widely used file-transfer service, will probably cost less than $1bn.

“The big question”, acknowledges Mr Johansmeyer, “is whether individual losses [below the $800m threshold] could get massive in aggregate”. He argues that this is very unlikely and estimates that ransomware, for instance, costs only $400m-500m per year. Others are less sanguine. “The constant drip drip of ransomware and the accretive loss across the economy contributes to staggering losses,” says Chris Krebs, who served as director of America’s Cybersecurity and Infrastructure Security Agency. These attacks are difficult to quantify precisely. The FBI estimates that “potential losses” in 2023 exceeded $12.5bn, a sum 22% higher than the previous year. Even by the standards of natural disasters, that is a lot. ■