10 November 2022 - London
Serious cyber-attacks increase 25% year on year and now average a cost of over $3 million, finds new research from S-RM.
- 75% of senior IT leaders say their firm suffered a serious attack in the last three years, compared to 60% last year
- Indirect costs, such as reputational damage, lost business and legal costs often outstripped the initial direct cost of the attack
- The most common impacts of cyber incidents were operational downtime (40%), increased insurance premiums (36%), reputational damage (34%), and legal costs or ramifications (34%)
Leading global intelligence and cyber security consultancy S-RM has today launched its 2022 Cyber Security Insights Report, which examines the specific cyber security challenges faced by C-suite leaders and senior IT decision makers across the globe.
Drawing on data from 600 C-suite and IT budget holders from organisations with a revenue over $500m, the report found that 75% of senior IT leaders report experienced a serious cyber-attack in the past three years, up from just 60% of respondents in 2021 – a 25% increase overall. US businesses were slightly more likely to experience a serious cyber-attack (77%) compared to their UK peers (73%), though both markets saw an increase in attacks in 2022.
Incident type experienced | 2021 | 2022 |
Data exfiltration | 37% | 46% |
Ransomware/extortion | 30% | 40% |
Hactivism/web/social defacement | 32% | 39% |
Denial of service/sabotage | 28% | 39% |
Fraud | 29% | 38% |
Cryptojacking | 27% | 33% |
Data source: S-RM 2022 Cyber Security Insights Report
Jamie Smith, Board Director at S-RM said:
Our latest report shows the sheer scale of serious cyber-attacks on businesses in the UK and the US, with three in four businesses affected in the last three years. This is a growing problem and one with serious ramifications for affected organisations. Instances of data theft, ransomware, fraud, cryptojacking, and other attacks all increased this year, causing significant financial damage."
The report also examined the damage caused by these attacks, which averaged nearly $3.4m (£3 million). Respondents reported an average direct loss from a serious cyber incident of $1.5m (£1.3m), a significant figure that doesn’t take into account an incident’s long-term fallout, which can cause businesses further financial damage. Indirect losses, such as reputation damage or ransoms paid by an insurer, were actually often more costly than the initial incident itself, averaging $1.87m (£1.5m). These indirect costs were slightly higher amongst UK IT leaders ($1.95m / £1.7m) than US senior IT leaders ($1.79m / £1.56m).
The most common impacts of cyber incidents across this period were the result of operational downtime (reported by 40% of respondents), increased insurance premiums (36%), reputational damage (34%), and legal costs (34%).
Jamie Smith, Board Director at S-RM added:
Often businesses will focus on the direct financial impact of a cyber incident, but the indirect impact can be even higher and far more difficult for them to accurately quantify. This is part of the reason why an effective incident response plan and relevant training is so important. The right plan can minimise the secondary impact of attacks, help to limit reputational damage, aid recovery, and minimise costly downtime."
As the cyber threat continues to grow, investment in the right planning and expertise will become an even more crucial risk management necessity.”
Indirect cost of cyber incidents | Percentage of respondents reporting these effects |
Operational downtime | 40% |
Increased insurance premiums | 36% |
Reputational damage | 34% |
Legal costs | 34% |
Regulatory investigations | 33% |
Ransom payments | 32% |
Recovery/response costs | 32% |
Regulatory penalty | 28% |
Lost business | 25% |
Data source: S-RM 2022 Cyber Security Insights Report
Further detail on the full report can be accessed on the S-RM website, here.
Methodology
The S-RM Cyber Security Insights Report 2022 follows on from our 2021 report, Investing in Cyber Resilience: Spend, Strategy and the Search for Value, where we seek to understand the specific cyber security challenges faced by C-suite leaders and senior IT decision makers.
For the report S-RM again surveyed 600 C-suite and IT budget holders from organisations with a revenue over USD 500m. With two years’ worth of data, S-RM was able to analyse the year-on-year changes in the types of incidents experienced by large organisations and their attitudes and approaches to spending on cyber security. This year, in the context of a well-publicised hard market, survey participants were also asked for their views on cyber insurance.
Further detail on the full report can be accessed on the S-RM website, here.
For further information, please contact
Media Enquiries
Tom Stewart-Walvin
Rostrum
t.stewart-walvin@rostrum.agency
s-rm@rostrum.agency
+44 (0)7855 689 302
About S-RM
S-RM is a global intelligence and cyber security consultancy. Founded in 2005, it has 400+ experts and advisors across nine international offices. Headquartered in London, S-RM has offices in Cape Town, Hong Kong, London, Manchester, New York, Rio, Utrecht, Washington DC and Singapore.