The time it takes for firms to go out of business due to cyber attack is decreasing. In 2000 it took ten years, in 2017 it took just eight months. In fact, since 2010 the cyber attack ‘time to Terminal Impact’ (bankruptcy) has pretty much halved every two years in a twisted inversion of Moore’s Law.
The cyber security industry likes to pin this impact on the evolution of ‘the threat’, but in reality there’s a lot more to it. It’s true that the threat is evolving, continually and rapidly, but this simply keeps it capable of overcoming whatever preventative controls are in place at the time. As such, the threat generally evolves to stay ‘good enough to effect a breach’ and although there are exceptions, at a macro level it can be considered a relative constant.
What are not a relative constants, and what are the primary causes for the decrease in time to terminal impact, are the ways in which we do business and communicate. Across every industry the drive to be digital, agile, and data-led has enabled our economies and companies to unlock huge productivity and innovation gains. However, these gains come with a hidden cost, as it has become:
- Quicker for industry to gain value from stolen IP
- Easier for customers to switch and go elsewhere
- Quicker for news to travel
- Faster to perform financial transactions
The following examples are among the only cyber-related bankruptcies in firms of a significant size (worth over $100m or with $100m in assets at the time of the breach.). Their stories are indicative of an acceleration towards terminal impact.
Nortel Networks (10 years to Terminal Impact)
In the year 2000, Nortel Networks had an annual revenue of $30 billion. One of the world’s largest technology companies, Nortel won $40 of every $100 spent on telecoms and networking in the US, and had a vast global footprint. In 2004 it was discovered that some computers were sending regular data transmissions to China, although the extent of the breach was only mapped out in 2009. Further investigation revealed that the Nortel had undergone systematic and continuous data exfiltration over a 10 year period. This led to a complete loss of competitive advantage, with IP, R&D and business planning data accessed and removed.
Despite the hack being traced to China, Bejing deny involvement with the attack and has never been formally implicated. However, in clear contrast to Nortel’s fate it is perhaps worth touching on Huawei’s meteoric rise from small reseller in 1990 with little IP, to achieving annual telecom and networking revenues of $22 billion in 2009 – with 75% of its sales in Nortel’s traditional strongholds.
Breached in 2000, Nortel hit terminal impact through filing for bankruptcy in 2009.
SolarWorld (5 years to Terminal Impact)
Once the world’s leading supplier of solar panels, SolarWorld were primed in 2012 to take advantage of the green energy revolution through heavy investments in research, development and the solar manufacturing process. It didn’t quite turn out that way, with the firm filing for bankruptcy in 2017, five years after they were hacked by Chinese attack group APT1. The US Justice Department indictments states that IP, the manufacturing process and key financial data was stolen in order to:
- a) replicate the SolarWorld technology, and
- b) determine the length of time it would take for SolarWorld to go out of business if the market was flooded with cheap replicas
We know now how long that was – five years. In that time, China have become the world’s pre-eminent solar manufacturer and energy producer, smashing its own 2020 targets in 2017 – the same year SolarWorld went bankrupt.
Mossack Fonseca (2.5 years to Terminal Impact)
In 2016, Mossack Fonseca represented 300,000 companies, and with 600 staff in 42 countries were the world’s fourth largest offshore legal specialist. Due to the nature of its work in handling high-net worth transactions and tax efficient schemes, clients relied on it for confidentiality and complete discretion. As such, its reputation was everything, and could be considered to be its most critical asset. The Mossack Fonseca breach was effected in 2015 by an unknown threat actor, motivated by exposing the work the firm carried out on behalf of its high-net worth clients. 11 million files were exfiltrated and then passed to an investigative journalist consortium.
In 2016 that asset – reputation – was shattered forever; the ‘Panama Papers‘ were published detailing client data with full disclosure as to who was moving what money, and where – causing a media storm that quickly went global. The nature of the story and the persistence which it carried online and in print and broadcast was meant that terminal impact was relatively swift. While it didn’t go bankrupt, Mossack Fonseca has undergone near-complete client loss leading to a series of office closures, with its last 50 staff leaving in March 2018 as the business was wound up.
Youbit (8 months to Terminal Impact)
In April 2017, South Korean cryptocurrency exchange Youbit was hacked, with 17% of its clients’ digital money stolen in a heist worth $73 million. South Korean intelligence blamed North Korea for the breach, in line with other cyber attacks carried out in the search of immediate currency to support its nuclear programme in the face of extreme sanctions. Later that same year, in December, Youbit declared bankruptcy – the direct financial impact of the theft, combined with extensive reputational damage, proved an impossible environment in which to do business.
In summary, the message from these attacks is clear. The time to Terminal Impact is demonstrably shortening – firms that go out of business because of a cyber attack are feeling the effects faster than ever before – but not solely due to changes in the ‘threat’. In an evolving world where the drive to digital is relentless, where industry is increasingly quick to adapt to new technologies, and where news reaches billions of consumers in hours, we will see the Terminal Impact of cyber attacks continue to edge closer.
In light of this, all firms can hope for is that when their preventative controls are overcome, breaches are detected and contained prior to attacker objectives being achieved. Otherwise it could mean ‘lights out’ before the year is out.