The views expressed by contributors are their own and not the view of The Hill

How much do US businesses lose due to malicious cyber activity? 

Hardly a week goes by without a cyber incident making national news.  

A recent example is a troubling attack on a water treatment facility in Indiana by Russian hackers. Luckily, this intrusion did not cause a major disruption to the plant’s operations, but it did raise concerns about what is to come.

While unsettling, such attacks are not surprising, given that nation-state-affiliated hackers often target critical infrastructure. Policymakers need to better understand which businesses and sectors of the economy are most at risk and help ensure that they are properly protected.  

Fortunately, cyberattacks on critical infrastructure still make up just a small fraction of the overall malicious cyber activity aimed at U.S. businesses. In a recent paper, we compiled a dataset of adverse cyber events experienced by publicly traded firms in the U.S. Most likely due to stringent reporting requirements, the most prevalent cyber incidents involve theft of personal information belonging to customers and employees. Despite the Securities and Exchange Commission’s requirement for firms to disclose “material cybersecurity incidents,” there is ambiguity regarding which incidents qualify as material. Firms are generally reluctant to disclose bad news, which results in widespread underreporting.

Generally, cyber events, such as destructive cyberattacks, which impede firms’ operations and destroy equipment; ransomware attacks, which freeze firms’ data until a ransom is paid; and distributed denial of service attacks, which prevent users from accessing company’s websites, can be observed by outsiders even without formal reporting. However, other highly detrimental forms of cyber compromise, such as industrial espionage and cyber-enabled theft of funds, are engineered to remain concealed as long as possible, even from the victim.  

Firms face different cyber risks depending on the nature of their assets and operations. Our analysis shows that the risks are greater for firms that possess intangible assets, such as personally identifiable information or intellectual property. Additionally, firms that are contractors for defense and other government agencies are disproportionately targeted by hackers. Specifically, firms working on a government contract face a 142 percent to 183 percent higher probability of a cyber incident in the coming year. Furthermore, firms that work on strategically important frontier technologies and in critical infrastructure also face a significantly higher cyber risk. 

All this crucial information about firms can be easily obtained by hackers from public sources. For example, announcements regarding a firm securing a new defense contract are widely disseminated through corporate press releases and by the Department of Defense. It might be prudent for both government and the contractors to refrain from publicizing such information. 

Firms that fall victim to an attack experience a spectrum of negative consequences, ranging from immediate expenses for forensic analysis and security enhancements to longer-term losses associated with reputational damage, weakened competitive standing, higher cost of capital, and the loss of customers and suppliers. On average, firms in the paper’s sample lose 1.3 percent of their market value in the month following a cyber-incident. There might be concern that this estimate is overstated because it is taken from reactions to particularly severe cyber incidents that became publicly known. However, research suggests that firms tend to withhold information on the more damaging incidents while disclosing the less severe ones. 

Crucially, economic losses from malicious cyberactivity spill over to firms that use similar technologies or have economic links to the affected firms. We estimate that the cumulative losses stemming from these spillover effects amount to 3.8 times the loss incurred by the directly affected firm. 

So how much money do U.S. businesses lose as a result of malicious cyber activity? 

It is challenging to estimate because a great number of cyber compromises remain undetected or unreported. A helpful source that gives an insight into the prevalence of significant cyber incidents is the annual cybersecurity breaches survey commissioned by the UK government. The 2024 survey encompassed 2,000 UK businesses, with half reporting some form of cyber incident in the last year. Thirteen percent of these incidents resulted in material losses, suggesting that 6.5 percent of businesses suffer a serious cyber incident in a given year. 

Assuming this probability also holds true for U.S. firms, we can perform a quick back-of-the-envelope calculation can estimate the magnitude of total losses. 

We can start with an aggregate market value of all domestic publicly traded firms of $46 trillion, and a value of all private businesses of $13.6 trillion, or $17.5 trillion in today’s dollars. We can further assume a 6.5 percent of businesses experience a material cyber incident in a given year which, resulting in an average loss of 1.3 percent of the company’s market value. Accounting for the negative spillover effects, we estimate the total loss incurred by public and private companies to be almost $264 billion.

If we exclude the spillover effects for private companies, which may be less interconnected, the total loss comes to $207 billion. These figures amount to between 0.8 percent and 1 percent of the 2023 U.S. GDP.  

While these estimated losses are large, there is a silver lining, as not all losses incurred by businesses are dead-weight losses or wealth transfers from firms to cybercriminals. The growth of malicious cyberactivity has spurred innovation in the burgeoning cybersecurity sector, which is quickly becoming an export sector for the U.S. economy.  The expansion of this sector is imperative to help U.S. businesses in strengthening their defenses against future threats, and ultimately rendering cybercrime less lucrative. 

Anna Scherbina is a nonresident senior fellow at the American Enterprise Institute (AEI) and a professor of finance at Brandeis University’s International Business School.