Cyber economics: getting the board on board with cybersecurity

This article was first published on

Could you explain how a cyber breach affects your bottom line? Cyber economics aims to do just that

What is the true impact of a cyber breach? Lost data? Angry customers? A negative hit to your corporate reputation? With so many variables, many of which can be difficult to assess in the early stages, it can be hard to measure the true cost. This is where cyber economics comes in – a rising discipline that aims to understand the full implications of actual and potential cyber breaches on an organization.

Commercially motivated attacks

The most damaging cyber attacks are highly targeted and driven by specific business and economic objectives such as fraud, manipulation and industrial espionage. It is a huge problem that is proliferating each year. A 2015 report from insurer Allianz Global Corporate and Specialty put the global cost to organizations at US$445 billion. Hewlett Packard and the Ponemon Institute of Cyber Crime believe attacks cost US firms an average of US$15.4 million each year.

For large multinationals, this may not sound like a huge amount. But there is a broader economic cost that cyber economics aims to reveal – a big enough cost that boards from organizations of all sizes should sit up and listen. According to a recent World Economic Forum report, the full economic cost of these cyber breaches could be up to US$3 trillion a year.

The need for a holistic approach

Businesses have range of implementable procedures for dealing with economically motivated attacks. Board level involvement is the most effective procedure to help organizations manage and mitigate cyber risks. With its top down and overarching view, the board level provides the best vantage point to holistically consider the existential threat posed by cyber risks.

Unlike traditional tech-only cyber vulnerability tests, cyber economics provides companies and their boards with a complete view of risks by quantifying the most serious ones. It also raises awareness of technical and non-technical risk factors and provides organizations with strategic solutions that offer the best chance of success in uncertain environments. The result is greater clarity for board members looking for guidance on which risks to prioritize.

The key thing to remember is that cyber risk is no longer simply an IT issue – in the digital age, it can affect your entire operations, so taking a holistic view of potential vulnerabilities is vital.

Assessing the full cyber economic threat

The first step is to develop a fuller understanding of the potential business risks.

  • Boards must develop an in-depth profile of their business’s cybersecurity situation and identify possible gaps.
  • They need to be honest about economic vulnerabilities and become fully informed about a wide range of risks.
  • They also need a sensitivity analysis around mission critical information, such as growth strategies and how rivals could target them in a deal.
  • Examining past cybersecurity breaches, system robustness and high-value data targets provides a base line for follow-up.
  • Outside testing should involve a detailed security and economic audit to reveal potential vulnerabilities within the company’s own systems.
  • The board should also focus on supply chains, third-party data centers, and how cloud services are configured.

Thinking broadly about risk

Utilizing the cyber economic approach, businesses should think broadly – beyond just their own organizations – and analyze cyber risks posed by links to nation states, organized crime, suppliers, and even shareholders.

“Every business ought to be busy identifying any potential issues and being honest about their vulnerabilities,” says Doree Keating, Americas Government, Public Services Federal Sector Leader, EY. “It’s vital to understand how the cyber economic threat is evolving, monitor your own systems, analyze suspicious activity and adapt your tactics accordingly. Having remediation plans is a must — but mitigation of the risk ahead of time is the real objective.”

EY Legal Services Contacts:


Peter Katko – Global Digital Law Leader



FabriceNaftalski – Global Data Privacy Leader




Monika Menz – Senior Manager, IP/IT Data Privacy