Cybercriminals tend to strike highly profitable companies, those holding a lot cash and organizations that spend generously on advertising, according to an American Enterprise Institute (AEI) study of cyberattacks between January 1999 and January 2022.
“High profitability and growth opportunities help predict future malicious cyber events, which suggests that cyber threat actors target successful firms, possibly for industrial espionage,” AEI researchers wrote in their report. “Large cash holdings increase the likelihood of future cyber events.”
Many companies disregard SEC rules to report all material corporate events and fail to report cyberattacks, the researchers said. At the same time, “the probability that a cyber event is being reported is increasing with outside investor scrutiny” and the degree of coverage by media and company analysts.
Total potential losses from cyberattacks and cyber fraud surged 48% last year to $10.2 billion from $6.9 billion in 2021, according to the FBI.
Ransomware, malware and distributed denial of service attacks by far cause the most damage to company valuations, disabling IT systems and cutting access to data, websites and company services, the AEI researchers said, drawing from “the most comprehensive dataset of publicly reported cyber events” during the period studied.
Many cyberattacks may go unreported because of the high cost of publicity.
“Our results show that firms suffer statistically and economically significant negative abnormal returns in response to the announcements of adverse cyber events,” the researchers said.
Investors in recent years have reacted faster to news of a cyberattack, they said. “Prices react more quickly in the later part of the [data] sample, implying that market participants have learned over time about the damage that such events can cause.”
Damage from cybercrime far exceeds the sum of costs to targeted companies, harming peer companies and the broader economy, the researchers said.
Companies with an economic link to a targeted firm suffer a loss that totals on average 44% of the financial damage to the primary victim, according to the researchers. “We find that the spillover effect can travel across industries and is stronger for linked firms that are smaller than the directly hit firm.”
Companies with ties to the U.S. government or defense sector are especially vulnerable to a cyberstrike, the researchers said. The target may become “a launching point for so-called ‘supply chain attacks,’ with the ultimate goal to breach government agencies or steal government secrets and government employee PII [personally identifiable information] data.”
“This risk also increases in the amount of cash on a firm’s balance sheet — possibly due to a higher ability to make ransom payments — and in advertising spending — likely because consumer-facing firms also collect PII information on their customers,” they said.
Companies focused on artificial intelligence, self-driving cars and other emerging technologies — as well as those with trade secrets or valuable research and development projects — tend to be in the cross-hairs of cyberattackers, according to the researchers.
Also, companies involved in critical infrastructure such as water treatment, dams, nuclear power and other parts of the power grid “may be preemptively breached by nefarious actors such as terrorists or hostile nation-states intent on causing maximum disruption,” they said.