Richard Bird · Author of Built Wrong: Why Cybersecurity Has Failed and How We Can Rebuild It
Track the index. First word on the book.
Index updates and Built Wrong launch news. No list sharing.
LiveS&P 5007,266.99▾1.62%DOW49,918.78▾1.87%NASDAQ25,169.50▾1.98%10 JUN 2026 · CLOSE
The index
What $100 became · 2014 → 2024
Measured as a return, cybercrime loss has outpaced the S&P 500 by more than five to one.
$100→$2,074
in cybercrime loss (IC3) · compounding 35.4% a year
$100→$389
in the S&P 500 · total return, $293 after inflation
5.3×cybercrime loss outgrew the market over the decade, measured nominal against nominal
Forthcoming · the book behind the index
Built Wrong
Why Cybersecurity Has Failed and How We Can Rebuild It
This index is one number from a larger argument: that cybersecurity’s failure is
structural, not technical. The book makes the case in full.
Coming soon
The instruments, side by side
Every line here is a measurement, not a forecast.
Two measures of annual cybercrime loss on one log scale, the only way
figures this far apart can share an axis. The government series (IC3) is a continuous annual reading
from 2014 to 2025, with deep anchors at 2001 and 2005. The commercial series (Chainalysis ransom
payments) is shown as attributed anchor points and is revised every year.
IC3 reported losses / US complaints / Verified
Chainalysis ransom payments / on-chain / revised
On the trillion-dollar number: the $10.5 trillion often quoted for global cybercrime is a
forward projection from Cybersecurity Ventures, compounded from a 2015 base whose methodology is not
disclosed. Because it is assumed rather than measured, it is excluded from the chart and the ledger,
and noted only here.
On 2010: the IC3 line skips 2010. The FBI’s own retrospective plots that year near $1.0B
while its contemporaneous 2010 report recorded $485M. The two cannot both be right, so we leave the
point out rather than choose.
Secondary exhibit · base-sensitive
Stretch the same comparison across the entire 2001 to 2025 record, against a market window that
contains both the dot-com crash and 2008, and the gap does not narrow. Reported cybercrime loss
compounded at 34% a year; the S&P 500 returned about 7.4% a year with dividends reinvested.
Compounded over the quarter century, $100 of cybercrime loss reaches roughly $117,000, while
$100 in the market reaches under $600. The ratio runs past 200 times.
This exhibit rests on IC3’s first-year 2001 base, which was small and unrepresentative, so we
hold it as directional rather than canonical. The headline index stays anchored at 2014 to 2024,
where both endpoints are verified to the dollar and the multiple is 5.3x.
The source ledger
FBI IC3
$20.9BLATEST · 2025
Counts
Losses from internet-crime complaints filed by US victims.
Excludes
Crime never reported; non-US victims; the great majority of incidents, where no complaint is filed.
Growth
34%/yr across 24 years (2001–2025)
VVerifiedAnnual, full series
Chainalysis
$0.82BLATEST · 2025
Counts
Cryptocurrency payments to ransomware actors, traced on-chain.
Excludes
Recovery and downtime costs; untraced channels; anything that is not a ransom payment.
Growth
Volatile. Peaked $1.23B in 2023, fell since.
VVerifiedAnnual, revised · anchors
IBM / Ponemon
$4.44MLATEST · 2025
Counts
Modeled average cost of a single data breach across ~600 organizations.
Excludes
Aggregate national or global totals. A per-event average, not a sum.
Growth
~2%/yr since 2014, and it fell 9% in 2025.
AAttestedAnnual · anchors
The incident ledger · live
38material incidents logged · 2026 year to date
26 Verified · 8 Attested · 4 Inferred
A running count of disclosed events, never a sum of their dollar figures. The figures are graded
differently, most disclosures carry no figure at all, and a curated feed is not a census, so any
total would be a total of nothing definable. See the rule below.
West Pharmaceutical ServicesMay 2026
Material attack. Data exfiltrated, systems encrypted, global operations disrupted.
SEC 8-K, Item 1.05
Not yet quantified
VVerified
Stryker CorpMar 2026
Material incident disclosed; operations since restored. Cost disclosure pending.
SEC 8-K, Item 1.05
Not yet quantified
VVerified
CB Financial ServicesMay 2026
Determined material. Customer names, Social Security numbers and dates of birth disclosed.
SEC 8-K, Item 1.05
Not yet quantified
VVerified
Marks & SpencerApr 2025
Ransomware. Company stated an operating-profit impact of roughly £300M in its results.
Company results statement
~$400M
AAttested
Jaguar Land RoverSep 2025
Production-halting attack. ~$2.5B economic damage, per an external monitoring-centre model.
Third-party estimate
~$2.5B
IInferred
The line that didn’t explode
Cost per breach barely moved.
Across more than a decade, while aggregate reported losses compounded at double digits, the modeled
cost of a single breach grew about 2% a year and then fell 9% in 2025.
If the per-event price is roughly flat while the total keeps climbing, the growth is in volume and
attack surface, not in severity. That is a finding the headline trillion-dollar number hides.
IBM’s figure is per breach, shown for shape only, never added to the aggregate lines.
THE RULE
These lines are never summed. They measure different victims, different crimes, and different units,
with heavy overlap in some places and blind spots in others. Adding them would manufacture exactly the
kind of unsourced total this index exists to refuse. The index keeps the instruments apart and shows its work.