Cybercrime is usually measured in financial loss due to a computer based attack on a company’s computer system. Reputational loss can be huge, but is often only measured in lost sales. Guy Carpenter, a well respected reinsurance broker, recently quoted McAfee/CSIS 2013 study (see below) that the annual global cybercrime loss at $445 Billion. I’ve seen some estimates for the annual global revenue of the computer security industry at $20-50 Billion. The point I want to make here is that these two estimates, which are probably only accurate to a factor of 2 or 3, do not compute for me. If your expected loss is 20 times what you are spending for security, are you spending enough? This and the fact that cybercrime losses are increasing, argue that the computer security industry is going to grow like crazy. On the other hand, the likelihood that a company that is under-spending on computer security gets clobbered with a cybercrime is high, and obviously needs a lot of insurance, which I guess is Guy Carpenter’s message. The cybercrime insurance industry should also skyrocket. (Some liability and theft policies might exclude cybercrime or add claim limits and force customers to insure against cybercrime separately.)
I should point out that the FBI’s Internet Crime Complaint Center received in 2013 complaints with an adjusted dollar loss of $781,841,611. This US number is hugely less than the global number discussed above. See the FBI report listed below. The two reports have vastly different methodologies and thus different numbers.
There is much to learn from the Target breach in the fall of 2013, and this will be the subject of a subsequent post. Points worthy of mention here are that Target’s insurance was woefully inadequate, and while it spent a huge amount on FireEye computer security products, it didn’t have the security infrastructure to use those products effectively. In fact, Target didn’t even have a Chief Security Officer. Target and its banks’ total loss to date is in the hundreds of millions of dollars.
By searching the web, one can find many annual reports on cybercrime. Here are a few that I’ve enjoyed:
My final thought in this note on cybercrime is that the perpetrators of cybercrime are becoming very sophisticated, and the attacks are subtle, take place over a long period of time, and use evasive techniques to avoid being detected. There is a market on which a former “kiddie hacker” can buy nefarious software, and this happens, but much more sophisticated criminals attacked Target. Experts can say that well, the Target breach wasn’t that sophisticated, but it probably wasn’t a kiddie hacker. In fact, with an estimated 50 million credit cards stolen (actually the contents of the magnetic strip with which a card can be counterfeited) each valued at over $100 per card, one sees that cybercrime is “big business”. This crime seems to pale when it compares with the theft of intellectual property done by nation-states, but again that’s another post.