How Inflation Impacts Cyber Loss Data

May 31, 2022  Justin Theriot

News - Risk Analysis - Black - EmailMany issues plague us these days but inflation has become a top concern of all Americans. Inflation is defined as the rate at which the value of a currency is falling and, consequently, the general level of prices for goods and services is rising. Cyber events data record losses, in nominal dollars, at the value of when they occurred. In our modeling, we adjust cyber loss for inflation putting it into real dollars. Financial decisions around cyber risk exposure need to be made using the value of a dollar today, not the value ten years ago.


Justin Theriot - Data Scientist - RiskLensRiskLens Principal Data Scientist Justin Theriot explains some of the economic analysis that goes into supplying our customers with the most accurate cyber risk data available.


The RiskLens data science team makes our adjustments using the latest monthly Consumer Price Index (CPI) data from the Federal Reserve Economic Data (FRED) at the Federal Reserve Bank of St. Louis [1]. The CPI is one of the most frequently used statistics for identifying periods of inflation. In April of 2022, the CPI rose 8.3 percent over the last 12 months.

In the chart below, we see how year over year inflation has impacted the cost of a data breach. We show how not adjusting losses for inflation prior to modeling impacts the estimates. If a company with $10 billion in revenue lost 5,000,000 records due to a breach, they could expect the following losses in May, 2022:


RiskLens Data Science - Inflation and Cyber Risk Losses 1 Revised

Primary Response Costs (PRC) for the incident were not impacted due to a limited amount of data. However, Fines & Judgments (F&J), and Secondary Response Costs (SRC) see a 19.2 and 19.4% increase difference. Using those same case as above the year over year change in estimates are:
 RiskLens Data Science - Inflation and Cyber Risk Losses 2 Revised
 
PRC and SRC have gone up 1 and 24.5% while F&J have decreased by 11.5% which we address below.
 

As a note, there are not any statistically significant events to cause the drastic change in estimates. Remember CPI is a measure of the average change over time in the prices paid by consumers for a market basket of goods and services, meaning inflation impacts the forms of loss differently.

FAIR defines PRC as the cost for the computer security incident response team and other departments to manage a cyber loss event and its aftermath. For example, Equifax accrued $353 million in PRC that included infrastructure improvements to their application, network, and data security related to their 2017 data breach of 145 million PII records [2]. A contributing factor to inflation has been supply chain problems that cause the price of assets to rise e.g., infrastructure improvements.

SRC is defined to be those activities and expenses incurred while dealing with secondary stakeholders, such as customers. For example, Target had $172 million in SRC related to their 2013 data breach of 40 million PCI records [3]. These costs were for card replacement, coming to an average of $10 per card, comprised of reissuing the card, informing consumers of the reissuing, shipping the card, activating the card, and communication via call centers. Small unit price increases may seem negligible but when dealing in quantities of 40 million, an increase of $0.01 results in a $400,000 price increase.

Furthermore, labor costs to reissue, send and staff call centers are included in SRC. As of January 2022, nominal wages and salaries for all workers rose at a 4.4% rate according to Employment Cost Index data from the Bureau of Labor Statistics [4].

F&J are those losses such as a fine from a regulatory body, a judgment from a civil case, or a fee based on contractual stipulations. Aetna Inc. incurred $1.9 million in F&J from the US District Court for the Eastern District of Pennsylvania [5]. While we adjust for inflation in these costs to bring the amount to real dollars for budgeting purposes, regulatory fines often do not keep up with inflation thus we do not anticipate an increase in F&J based on high inflation.

Our adjustments of losses to account for inflation may come across as a small and insignificant modeling choice. However, as we have demonstrated these adjustments can alter the risk landscape in a large and significant manner. We update our data quarterly (update 2022 July 01) to ensure the decisions that RiskLens clients make use of the latest information.

References:

  1. U.S. Bureau of Labor Statistics, Consumer Price Index for All Urban Consumers: All Items in U.S. City Average [CPIAUCSL], retrieved from FRED, Federal Reserve Bank of St. Louis; FRED Economic Data , May 24, 2022.

  2. Equifax 2018 United States Securities and Commission Form 10-K.

  3. Target 2016 United States Securities and Commission Form 10-K.

  4. U.S. Bureau of Labor Statistics, Employment Cost Trends, retrieved from ECT Databases; ECT Databases , May 24, 2022.

  5. Andrew Beckett, Arizona Doe, California Doe, S.A., Colorado Doe, Connecticut Doe, DC Doe et al vs Aetna, Inc., Case No. 2:17-CV-3864-JS (United States District Court for the Eastern District of Pennsylvania, 2018)

RL-Banner-1024x281v1