Cyber risk is complex and constantly changing.  In the insurance industry, cyber risk modeling refers to the use of mathematical models to evaluate the potential financial losses that a company might incur in case of a cyberattack. Cyber risk modeling can encompass various techniques such as financial modeling, scenario analysis, and Monte Carlo simulations to assess the potential costs from different types of cyber threats.  Empirical data on the costs associated with a particular cyber risk is an important part of these risk modeling techniques.

If you want to access data on real-life data breaches, IBM’s Cost of Data Breach Report 2022 (IBM’s 2022 Report) is a great resource.  It is based on an analysis of data breaches suffered by approximately 550 global companies between March 2021 and March 2022 and was conducted by the Ponemon Institute. 

Below are some of the key findings contained in IBM’s 2022 Report:

  • Businesses that Pay the Ransom Aren’t Getting a “Bargain”: According to IBM’s 2022 Report,  businesses that paid threat actors’ ransom demands saw $630,000 less in average breach costs compared to those that didn’t pay, excluding the ransom amount paid. However, when accounting for the average ransom payment (approximately $812,000 in 2021), businesses that opt to pay the ransom could face higher total costs and inadvertently fund future ransomware attacks instead of allocating the funds to remediation and recovery efforts. 
  • Immaturity in Cloud SecurityIBM’s 2022 Report found that 45% of the studied breaches occurred in the cloud, emphasizing the importance of cloud security. However, 43% of the reporting companies indicated they were in the early stages of or had not yet started implementing security practices to protect their cloud environments, resulting in higher breach costs. Companies that did not implement security practices across their cloud environments took an average of 108 more days to identify and contain a data breach compared to those that consistently applied security practices across all their domains.
  • Critical Infrastructure Lags in Zero Trust: Only 21% of critical infrastructure organizations studied had adopted a zero-trust security model, according to IBM’s 2022 Report. Additionally, IBM’s 2022 Report revealed that ransomware and destructive attacks accounted for 28% of breaches among the critical infrastructure organizations studied, highlighting how threat actors are trying to disrupt the global supply chains that rely on these organizations, including, but not limited to, financial services, industrial, transportation and healthcare companies.
  • Security AI and Automation Saves Millions: Companies that fully deployed security AI and automation incurred an average of $3.05 million less in breach costs compared to the companies that didn’t deploy the technology, the largest cost-saver observed in IBM’s 2022 Report. 

To access IBM’s 2022 Report click here.