Cyber crime costs Dutch organisations 10 billion euros each year
A unique analysis of cyber risks provides detailed insight into the potential losses within each sector
Through data analysis, Deloitte has detailed and quantified the risk of losses from cyber attacks within the Netherlands for the first time. Deloitte has estimated that, annually, the total cyber-crime losses confronting the largest Dutch corporations and government could amount to 10 billion euros. However, given a worst case scenario, an individual organisation could experience losses up to eighteen times higher than the losses they might expect. These were the conclusions of the data analysis Cyber Value-at-Risk in The Netherlands, which Deloitte published prior to the International NCSC One Conference in The Hague.
4 April 2016
The analysis shone light on both the average impact of cyber risks and the total Cyber Value-at-Risk: that is the losses that worst-case cyber incidents could cause the Dutch government, as well as Dutch business and industry. “The purpose of the research is to provide organisations with insight into the risk of losses due to cyber incidents. The 10 billion euros, estimated as the value-at-risk, has to be seen in the context of the ‘costs of doing business’ in our digitalised society. And, while this digitalisation has brought about significant prosperity, it is, unfortunately, inextricably linked to cyber crime. Despite that, cyber crime is manageable. On the basis of our data analysis, organisations will be better placed to make decisions about the further development of their digitalisation without running too many cyber-crime-related risks,” explained to Maarten van Wieren, a Deloitte cyber security expert.
' Cyber Value at Risk in The Netherlands'
Cyber risks within different sectors in the Netherlands
The study concentrated on the Netherlands’ most relevant economic sectors. The data analysis demonstrated that, within the context of cyber threats, the following four sectors currently face the highest risks relative to their size: the public sector (expected annual losses totalling 2.4 billion euros), the technology & electronics sector (1.1 billion euros), the banking sector (360 million euros) and the defence and aerospace sector (415 million euros).
Various types of cyber threats
The point of departure of the study was the various ways in which information was misused or abused by different cyber attackers. It illustrated that a high risk of losses (around 40%) ensues from any disruptions of operational continuity. These are due to targeted attacks by parties intent on disruption as well as to the associated consequences of widely aimed cyber crime. This impacts almost all organisations. Another cause of significant losses (also about 40%) ensues from the loss of intellectual property, strategic information and the control integrity of products and services. The latter accounts for a large volume of the losses experienced by the public sector, the technology & electronics sector and the defence and aerospace sector. Currently, the vast volume of confidential information which banks retain about their customers poses their highest risk, while their risk of losing cash is relatively small.
Analyses have demonstrated that, in general, the larger the organisation the more mature the organisation’s cyber security policy. Previous experiences with cyber threats also play an important role. Consequently, banks, the oil, gas and chemical industries, the defence and aerospace sector, as well as some central government departments all appear to have a relatively well-developed cyber security policy. “Data shows that while a sector faces a high threat in total, the impact of cyber incidents can be substantially reduced by using good cyber defence. As it is virtually impossible to avoid cyber incidents entirely, it is essential to limit the negative impact through good detection and rapid reaction,” stated Maarten van Wieren.
“It is important to be aware that what matters is not whether you are hacked, but what you do if you are hacked. For this reason, cyber risks should be given a separate place in your operational risk framework. By demonstrating you’re in control of your data, you’ll gain trust and, in turn, trust can lead to added value,” explained Dick Berlijn, a Senior Board Advisor at Deloitte.
About the analysis
In 2011, the World Economic Forum (WEF) introduced the initiative ‘Risk & Responsibility in a Hyper-connected World’. At the start of 2015, Deloitte - together with the WEF and input from more than a hundred international experts, business and political leaders in the field of cyber security - published a report about Cyber Risk Quantification, in which the concept of Cyber Value-at-Risk was introduced for the first time.
Given the significance of cyber security to our society, Deloitte decided to develop this concept further. This model was, therefore, used as a basis to determine the quantitative impact of cyber risks on organisations within the most relevant sectors in the Netherlands. On the basis of this impact report, Dutch executive teams and boards of directors will be better placed to decide which cyber-security investments their organisations need, or do not need, to make. The data analysis was conducted within Deloitte’s State of the State programme.
About State of the State
This is an up-to-date data analysis of the Netherlands, intended to provide policy makers and organisations with useful insights into social issues such as safety and cyber security. To this end, Deloitte combined and analysed open data for the third year in succession. These new insights can be referred to on: www.stateofthestate.nl.