When it comes to cyber attacks, inaction is equal to the powerof evil intent: according to the Ponemon Institute, negligencecauses 39 percent, and criminal attacks cause 37 percent, of alldata breaches.

On the other hand, organizational readiness to tackle emergingcyber risks is paying off. While the cost of a data breach tocompanies increased by about 7 percent from 2008 to 2010, itdecreased by 24 percent—from $7.2 million to $5.5 million—from 2010to 2011. Damages include lost business, diminished customer trustand resources put towards credit report monitoring.

"Companies have improved steps taken in both preparing for andresponding to a data breach," writes Robert Hartwig, economist andpresident of the Insurance Information Institute (I.I.I.).

Malicious code is involved in 26 percent of all cyber attacks,followed by denial-of-service attacks, information gleaned fromstolen devices, and malicious insider activity.

The expensive repercussions of these attacks include informationloss (44 percent of associated costs), business interruption (30percent of costs) and loss of revenue (19 percent of losses).

The number of data breaches, and their correlation to exposedrecords, is more difficult to pinpoint as the reported figuresfluctuate from year to year. According to the Identity TheftResource Center, there were 157 breaches in 2005 that caused theexposure of 66.9 million pieces of information. Jumping forward to2008, 656 breaches exposed 35.7 million records. But in 2009, therewere 447 breaches and only 17.3 million data exposures.

The center notes that while data-breach incidences have stayedabove 400 since 2010, there were only 16.2 million, 22.9 million,and 17.3 million record exposures each year from 2010-2012,respectively.

This should not be taken as a sign to relax, writes Hartwig, whonotes that former U.S.  Homeland Security Secretary JanetNapolitano "recently warned that a major cyber attack is a loomingthreat that could have the same type of impact as Superstorm Sandy,knocking out power to a large swath of the Northeast," with water,electricity and gas especially exposed to infrastructuredamage. 

Hartwig also says the reported numbers themselves mightnot beentirely accurate. He says as federal agencies like theSEC begin to require disclosure for public companies on cyberattacks, the number of reports will increase. "I think thatreporting of cyber attacks is erratic and still in its infancy andso there's no consistency in the numbers," he says. "Many companiesand government agencies simply do not disclose attacks for fear ofspooking customers, investors and other constituents."

Hartwig adds, "While it's absolutely true that there have beenlarge investments and improvements in cyber security that continueto thwart the majority of attacks, would-be cyber assailants do notsit by idly. Rather, their techniques and technology continue toevolve at a rapid pace.  We need also be concerned aboutthe threat of cyber terrorism and state-sponsored cyber attacks(e.g., China, Syria)."

The majority of the 447 data breaches reported in 2012 affectedbusinesses (37 percent) and medical and healthcare companies (34.5percent), far outpacing attacks on military and banking operations.The I.I.I. says LinkedIn, eHarmony, Zappos and Yahoo allexperienced major public breaches last year. 

However, when systemically important organizations get hit, theyget hit hard: the government and military led all other sectors innumber of records lost last year (7.7 million records, or 44.4percent of all data lost to cyber attacks). 

Thefts on banking and financial institutions still lagged behindin all categories, accounting for 3.8 percent of all breaches and2.7 percent of records exposed in 2012. A March 2013 attack onSouth Korean banks and media companies paralyzed money machinesacross the country, and last year, card processor Global Paymentslost 1.5 million cardholder payment card numbers.

Despite the rising costs and media attention given to cyberattacks in recent years, Harvard Business Review Analytic Servicesreports that less than 20 percent of all companies purchase cyberrisk insurance to cover their costs in case of loss.