$450B is Serious Money! When Will We Get Serious about Cyber Risk?

by | Jul 26, 2017

Lloyd’s of London says cyberattacks caused an estimated $450B in worldwide business losses during 2016. How much cyber risk must we take on before taking concerted action to control it?
Barkly recently published survey results from organizations that experienced a cyberattack in 2016. Over half of these companies had no plans to make any changes to their security measures in 2017, and 52% expected their security budget to remain flat or decrease. The adage, “the definition of insanity is doing the same thing over and over again and expecting a different result,” certainly applies here.
Comparison between the fields of cybergovernance and financial governance

“6 Must-Know Cybersecurity Statistics for 2017”
Barkly Blog, January 2017

Cyberattacks during the first half of 2017 have taken a devastating toll on companies around the globe. Total losses from the WannaCry attack will be  over $4 billion, according to estimates. As a result of the NotPetya attack that followed, shipping giant Maersk lost as much as $450 million. FedEx temporarily stopped trading its stock after being hit by NotPetya. On July 17, the company filed a 10-K indicating the attack is likely to be material, disclosing that FedEx is still “focused on restoring remaining operational systems as well as finance, back-office and secondary business systems. At this time, [they] cannot estimate how long it will take to restore the systems that were impacted…”

Global specialty insurer Lloyd’s of London and cybersecurity analysis company Cyence have revealed a staggering estimate of 2016 worldwide cyber losses: as much as $450 billion  – almost half a trillion dollars. These companies conducted a study to estimate the losses a single, successful, global cyberattack could generate. They found that the average cost of a global cyberattack would be around $53B, but the worst-case scenario could see a financial impact upwards of $121B. These numbers are staggering and should catch the attention of every C-suite and board.

Cyber luminaries repeatedly assert that implementing a few simple measures could dramatically reduce cyber risk for most organizations. For example, the impact of both WannaCry and NotPetya might have been minimized if a few well established processes and policies had been implemented and executed across organizations, based on recommendations from experts (e.g., PwC). While organizations spend 80% of their security budget on technology defenses, most losses are derived from not having the right people, processes, and policies in place. It’s not that we don’t understand what we should do – it’s that we simply don’t do it consistently. The shift in changing to a cyber-conscious culture is missing in almost every organization – from the top down.

If companies are reluctant to increase their security budget, how can they successfully reduce cyber risk without a huge spending increase? By focusing on three important areas that don’t directly involve buying technology:


The vast majority of breaches can be traced back to actions, or lack of actions, by human beings. Clicking on a bad link, failing to install patches, sloppy hiring practices, improper vetting of new vendors – these and many other failings can be prevented. Success starts with commitment from the CEO and the board to create a cyber-conscious culture throughout the entire organization. The first step is raising the level of awareness of cyber issues among board members and the C-Suite.


Since 2014, the NIST Cybersecurity Framework (CSF) has evolved into the de facto standard for evaluating cyber resilience. Based on interviews and input from at least a thousand cybersecurity experts and organizations, NIST created a comprehensive roadmap describing processes that need to be in place throughout the enterprise to mitigate cyber risk. Examples include conducting regular risk assessments using defined criteria, regularly applying software updates, and deprovisioning unused identities. Hundreds of similar “controls” should be addressed.


Policies that enforce safe behavior need to be instituted across the organization. Key risk management stakeholders must be identified by role, and their active involvement in risk management must become an integral part of their responsibilities. Documented cyber risk management practices and procedures must be supported by measureable standards and repeatable guidelines. To minimize damage, preparation for rapid, post-incident responses that minimize damages should be put in place as soon as possible.

As Mark Andreesen famously observed in 2011, “software is eating the world.” Dependence on software and networks managing all phases of business is essentially complete, so the massive and growing damages resulting from cyberattacks create a significant call to action. Getting serious about mitigating cyber risk and preventing financial disaster doesn’t have to mean spending millions on technology; what it does require is strong commitment from the top down. Leadership can no longer assign the responsibility to one department and hope for the best. CEOs and boards have a fiduciary duty to manage all forms of enterprise risk, and cyber risk has come to represent the most significant risk we face today.

How many more $450B pricetags must we incur before we get serious about attacking cyber risk?

Comparison between the fields of cybergovernance and financial governance

Be notified of new Journal entries in your email box or Follow us on Twitter.