How does your industry compare when it comes to the financial loss exposure of cyber threats?

As the growing financial impact of cybersecurity breaches continues to reach astronomical heights, corporate and government leaders are increasingly looking for ways to better understand what this means for their organizations.

According to the 2022 NACD Public Company Board Practices and Oversight Survey, while 83% of boards say that they have improved their understanding of cyber risk compared to the two years prior, the same survey reveals that boards are struggling to keep pace with oversight of the onslaught of changing cyber threats.

And keep pace they must, as the continued digitalization of business services to better connect with customers, suppliers and employees and drive growth is being met with state-of-the-art cyber threats. In 2022, attackers spared no industry, sector or organization, no matter how sophisticated.

A technology leader like Uber was compromised – reportedly by a teenager from the Lapsus$ group – along with technology-poor institutions such as schools in Jackson County, Michigan, which were closed for days after a ransomware attack.

Risk themes continued to evolve in insidiously creative ways, from insider misuse (Meta employees were revealed to be ransoming Facebook and Instagram accounts), to ransomware (not just double but triple extortion), to business email compromise (no longer just criminals impersonating a known source via email, but adding voicemail compromise with deep fakes).

Facing this whirl of bad news, cyber risk leaders, corporate executives and corporate directors need to understand the economic drivers and impact of cyber risk, to provide effective oversight of a cyber-resilient organization in the pursuit of strategic goals, as highlighted in the World Economic Forum’s Principles for Board Governance of Cyber Risk.

The 2023 RiskLens Annual Cybersecurity Risk Report provides reference data on the impact of top cyber threats across key industries, based on actual 2022 events. The reference organization used for the study is an organization in North America with up to 1,000 employees and up to $1 million in revenue.

The top two industries by financial loss exposure are public administration and healthcare, whose overall exposure was driven by high event probabilities and moderate losses. Public administration, particularly local governments in the US, are the least well-protected among industry categories, often due to budget constraints.

They are also among the most likely to be targeted by cyber attackers and, in recent years, have been heavily hit with ransom and encryption attacks causing lengthy disruptions of vital services and revenue sources such as payments for parking tickets or construction permits.

For their part, healthcare providers and payers play a high-stakes game in the cyber risk landscape, with sensitive data (sometimes in the hands of third-party vendors) and patient care at risk, all under the oversight of the US federal government’s HHS Office of Civil Rights (OCR) watching – and fining – for violations of HIPAA.

When considering both the per-event losses and event probabilities, the study provides findings that might be counterintuitive for many:

The report also reveals the top two cyber threats per industry, as follows:

The study also examined the possible effect of cybersecurity posture changes and amounts of records such as personally identifiable information and credit card numbers. For the sake of this study, cybersecurity posture changes leverage the scores of SecurityScorecard, a leading security ratings firm.

The key takeaway is that substantial improvements to security posture and a reduction in the number of records at risk can reduce losses by 60% and event probability by 67%. If applied jointly, these two levers can reduce overall exposure by 88%.

You can access the full details of the study by downloading the report from the RiskLens website.