Last week, British retailer Marks and Spencer revealed further details about the financial hit of a cyberattack earlier this year that disrupted online sales for months. While the company’s first-half profits dropped dramatically, Marks and Spencer stressed that it expects a strong recovery in the coming months. 

The company’s first-half results reflected a jarring “one-off impact” from the April incident, with statutory profit (pre-tax) dropping from £391.9 million in the same timeframe a year ago to £3.4 million this year. 

Still, “we are confident we will be recovered and back on track by the financial year-end,” according to the company’s report. “In the second half we therefore anticipate profit at least in line with last year, as the residual effects of the incident continue to reduce in the coming months.”

At this point, we’ve seen enough earnings reports after cyberattacks that outline the more direct impacts of the operational disruption, incident response, and short-term losses tied to the intrusions. These types of financial metrics are important because they could lend better context to conversations around security risk and business impact at the boardroom level. 

But capturing the full picture of this measurement is still difficult, given more intangible aspects that are difficult to track, such as the cost of reputational damage. At the same time, it’s also difficult to understand financial impact from a prediction and prevention perspective. 

“It’s a challenge… we’ve been trying to tie security - whether it be controls or incidents - directly to financial risk, and it’s always been super challenging, especially on the control side of the house, because you’re predicting things in advance,” said Ed Bellis, CEO of Empirical Security.

We Can Track Cyberattack Financial Impacts - But It’s Not Easy

While we can definitively point to public reports like SEC filings or class action lawsuits as a way to measure the empirical financial impact of incidents, indirect hits still limit our full visibility. The Marks and Spencer attack put a pause on orders between April and July and left some store shelves bare for days after the retailer was targeted, leading to a £101.6 million direct cost, for instance. However, it’s difficult to capture quantitative fallout from reputational damage (particularly with personal customer data stolen) and other factors.

As threat actors try to target a wider breadth of victims – through supply-chain attacks, for example – this poses an additional challenge in capturing the big picture when it comes to losses.

“It’s still hard to get a comprehensive perspective on financial losses,” said Wade Baker, founder of the Cyentia Institute. “People report on the ransom that was paid, but not the costs of internal processes. You also hear about class action lawsuits, but brand damage as a whole is hard to quantify. While bits and pieces are being shared more abundantly, we’re still a ways away from a full picture of company losses and impacts.”

The Cyentia Institute released the Information Risk Insight Study this year, which looked closely at the direct financial impacts on companies, and at whether incidents have become more costly. The study found that median losses from security incidents have increased 15-fold over the last 15 years, from $190,000 to almost $3 million. Still, the losses analyzed in the study made up a conservative view, as indirect or intangible impacts were often not captured.

The good news is that newer regulations - such as the SEC’s cyber reporting mandates for incidents with material impacts - are adding more data into the mix related to financial losses when there’s an incident, said Baker.

“I think the regulatory emphasis does flesh out what we know about financial losses,” Baker said. “It also seems like there’s more of an appetite now around the conversation of business impact, rather than focusing only on threat actors or initial access in intrusions. All of that is positive and helpful.”

Cost Variables For Cyberattacks

Another caveat is that no two incidents are alike. 

UnitedHealth, the parent company of cyberattack-afflicted Change Healthcare, revealed the costs for its February 2024 ransomware attack that affected 190 million people in a 10-K filing for 2024. These included $2.2 billion in direct response costs (costs linked to providing interest-free loans to support care providers that were impacted; increased medical care expenditures; network restorations; and victim notifications). The company said it expects to continue to incur direct response costs and business disruption impacts “at a lesser extent in 2025.”

Meanwhile, a Form 10-K financial report filed by SolarWinds for the year 2024, gives more color into longer term losses from attacks. The filing still refers to impacts from the infamous SolarWinds Orion attack in 2020. The filing specifically pointed to audit fees ($2.35 million in 2024 and $2.57 million in 2023), which consisted of external legal fees linked to government investigations after the hack.

A ransomware attack on a manufacturing firm that disrupts operational processes could have a very different financial hit than a denial-of-service attack on a news website. There are other external factors to consider as well, such as the impact on company stock price, any regulatory fines, and whether the victim organization has cyber insurance. 

Another consideration is organization size. The Cyentia Institute found that the cost of incidents is higher in large companies – but the relative impact is worse for smaller entities. Overall, Baker said, larger organizations are often equipped with the necessary budgets to prevent or mitigate incidents – something smaller entities lack. 

“In general, when smaller organizations have an incident, it’s far more impactful to them for their revenue,” said Baker. “It can be hard to move past that.”

The Cyentia Institute also found substantially different financial impacts on organizations based on their vertical. Interestingly, industries like the financial, administrative, healthcare, manufacturing, public and professional services sectors show “increasing trends for loss magnitude,” with median losses for professional services up 25 times over the last 15 years. Recently, there has also been a strong trend toward cryptocurrency firms having the largest dollar amount losses after an incident, said Baker. However, other industries - such as retail - seem to be more financially resilient against attacks, with the sector’s current losses for events dropping significantly from 2008.

Despite these different variables, Bellis said that measuring financial impact “always comes back to mapping to some sort of business process or financial function of the business.”

“Those are the concrete things you can do,” said Bellis. “The more nebulous things have been too hard to measure quantitatively.”

  • Recent Posts

  • Recent Comments

    No comments to show.