The drivers of cyber risk

Cyber incidents are becoming more sophisticated and their costs difficult to quantify. Using a unique database of cyber events across sectors in the US, we document the characteristics and drivers of cyber incidents. Cyber costs are higher for larger firms and for incidents that impact several organisations simultaneously. Events with malicious intent (i.e. cyber attacks) tend to be less costly, unless they are on the upper tail of the loss distribution. The financial sector is exposed to a larger number of cyber attacks but suffers lower costs, on average. The use of cloud services is associated with lower costs, especially when cyber incidents are relatively small. As cloud providers become systemically important, cloud dependence is likely to increase tail risks. Finally, we document that higher expenditure on IT is associated with future reduced costs from cyber incidents