The cost of a data breach is not easy to define, but as more organizations fall victim to attacks and exposures, the potential financial repercussions are becoming clearer. For modern businesses of all shapes and sizes, the monetary impact of suffering a data breach is substantial. IBM’s latest Cost of a Data Breach report discovered that, in 2022, the average cost of a data breach globally reached an all-time high of $4.35 million. This figure represents a 2.6% increase from the previous year and a 12.7% rise from 2020.
Factors such as incident type and severity, regulatory standards, company size, sector, and region can significantly affect how much a data breach could costs a business, but all organizations must carefully assess and prepare for the monetary hits that could be just around the corner should they fall victim. Some are potentially far more damaging (and less obvious) than others.
Factors impact data breach costs
IBM’s 2022 report cited several contributing components that affect data breach costs. For example, the average data breach in healthcare increased by nearly $1 million in 2022 to reach $10.10 million, the most expensive for any industry, while financial organizations recorded the second highest costs, averaging $5.97 million. The average cost of a data breach for critical infrastructure organizations generally was $4.82 million — $1 million more than the average cost for organizations in other industries. The top five countries and regions for the highest average cost of a data breach were the U.S. at $9.44 million, the Middle East at $7.46 million, Canada at $5.64 million, the UK at $5.05 million and Germany at $4.85 million.
In terms of security technology and preparedness, breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at organizations with no security AI and automation deployed. This 65.2% difference represented the largest cost savings in the study. Organizations that do not employ a zero-trust approach to security typically pay an average of $1 million more in breach costs compared to those that do, while businesses with an incident response team that tests its response plan saw an average of $2.66 million lower breach costs than organizations without an IR team and that don’t test plans.
When remote working was a factor in causing a breach, costs were an average of almost $1 million greater than in breaches where remote working wasn’t a factor, IBM’s report found. Meanwhile, the average cost of a phishing attack in 2022 was calculated to be $4.91 million compared to $4.54 million for ransomware and $4.50 million for stolen or compromised credentials.
Reputational damage still one of the biggest costs of a data breach
It’s an old cliché, but you really can’t put a dollar on customer trust, and a damaged reputation remains one of the most significant data breach costs for organizations in 2022, experts agree. “Ultimately, customer trust is very easy to break, and very difficult to build,” Allie Mellen, senior analyst at Forrester, tells CSO.
Bob Dutile, chief commercial officer at UST, agrees. “The first and foremost concern is reputational impact, and the cost of a data breach is typically realized in relative competitive change in the marketplace,” he says. “Companies find that their brand does not command the same price premium, customer conversion costs are higher, and market share is lost. For a public company, the near-term assessment of the cost impact is reflected in stock price movement.”
Excluding the largest breaches and smallest ransomware attacks, Dutile says research shows that $8 to $10 million is a good planning number in the U.S. for a medium-sized business facing a modest breach of under 250,000 records, and about one-third of this cost will be felt through the loss of business because of a damaged reputation.
“One particular cost that continues to have a major impact to victim organizations is theftloss of intellectual property,” Glenn J. Nick, associate director at Guidehouse, tells CSO. “The media tends to focus on customer data during a breach, but losing intellectual property can devastate a company’s growth,” he says. “Stolen patents, engineering designs, trade secrets, copyrights, investment plans, and other proprietary and confidential information can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company.”
It’s important to note that how a company responds to and communicates a breach can have a large bearing on the reputational impact, along with the financial fallout that follows, Mellen says. “Understanding how to maintain trust with your consumers and customers is really, really critical here,” she adds. “There are ways to do this, especially around building transparency and using empathy, which can make a huge difference in how your customers perceive you after a breach. If you try to sweep it under the rug or hide it, then that will truly affect their trust in you far more than the breach alone.”
Severe business downtime can cost orgs millions
Business downtime can be significantly costly for a breached organization, depending on the level and extent of the downtime and how technology dependent the firm is, Coalfire’s Field CISO Jason Hicks tells CSO. “Often a breach is not going to take a company completely offline, but it can happen. The more critical systems that are taken down, the more significant the cost.”
Manufacturing tends to have the best metrics around this, as it’s relatively simple to measure the cost per minute if an assembly line is down, Hicks says. “This can translate into millions of dollars a day for a large manufacturing company. This can be more nebulous for other industry verticals, but there are models to get a reasonable feel that can be applied to each vertical.”
Regulation and litigation add to data breach costs
Increasingly strict data protection and privacy laws along with litigation are seeing a growing number of companies issued large fines, paying hefty settlements, and stumping up for legal fees following data breaches and non-compliance. This has played out several times this year. Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided the company violated the nations’ network security, data security, and personal information protection laws.
Meanwhile, Amazon was penalized $877 million for breaches of GDPR cookie rules, T-Mobile agreed to pay $350 million to settle a consolidated class action lawsuit following a data breach from early 2021, and Google agreed to pay $60 million in penalties for misleading Australians users about obtaining location data.
IBM’s 2022 report found that, in highly regulated industries, an average of 24% of data breach costs were accrued more than two years after the breach occurred. Whether it’s being penalized under data protection regulations, settling class action claims brought about by an individual or a group, or shelling out for legal representation/general counsel, the reality is that all businesses should plan for potential regulatory and litigation expenditure surrounding data breaches.
“Regulated industries suffer not only the immediate cost of responding to, containing, and remediating vulnerabilities, but also the long-term effects of additional penalties from their regulatory bodies and legal settlements,” Nick says. Highly regulated industries, such as healthcare and financial services, typically run one and two in order of cost per breach since they will pay more non-compliance fines than others, he adds.
“Investigation and adjudication often take years for the victim organization to reach a monetary settlement with affected parties.” Legal costs are one of the largest expenditures organizations face in data breaches, Nick states. “Organizations rarely have the legal and privacy expertise inhouse. To ensure compliance, they must hire outside counsel to lead their reporting.”
Rising cyber insurance prices leave orgs struggling to afford cover
While data breach costs associated with damaged reputation, business downtime, and regulation/litigation remain significant, they are nothing new. A more recent trend is a sharp increase in the costs of cyber insurance premiums due to the frequency and severity of breaches, along with hefty ransomware payments.
According to new research from Huntsmen Security, the number of organizations unable to afford adequate cyber insurance cover is expected to double in 2023. This is a result of insurers increasing premium prices to better reflect the risks organizations face. “Some organizations have reported post-breach increases in premiums of approximately 200%,” Nick says.
Along with making premiums more expensive, insurers are also implementing more coverage limitations, meaning that even with a policy in place, businesses could find themselves financially responsibility for certain breach-related costs. This means, in addition to pricier premiums, companies also need to plan funding to cover any limitations or exemptions written into policies.
Mellen tells CSO the cyber insurance landscape is still evolving, but any notion that policies will allow organizations to fully recover financially from a cyberattack is folly. “In reality, it’s not going to cover all of the costs associated with any type of cyberattack, and we see some insurance firms not even covering ransomware at this point as part of their payouts,” she adds.
Another factor to consider is that cyber insurance providers typically now have a list of approved service providers like lawyers and forensics firms, Hicks says. “If your preferred provider is not on their list, you may have to work with them to get them included, or potentially have to change providers. This can be costly, as firms are often leveraging their existing service providers to secure the maximum discounts based on the volume of work done with the partners. Also, if for some reason you can’t get them added, you could end up having to pay the costs directly versus having your insurance cover it.”
Organizations increasingly open to paying large ransoms
On the topic of ransomware, evidence suggests that companies are increasingly open to paying ransoms as part of their breach response, even setting aside millions of dollars for this purpose. “One of the first questions that I often get is, should we set up a Bitcoin wallet to prepare for having to pay ransom?” Mellen tells CSO. “At the end of the day, a ransomware attack can be an existential event for a company if their backups are not in a secure place or are not up to date, so they 100% do prepare for the reality of having to pay the ransom.”
Ultimately the threat actors are looking to determine an amount that you are able to pay and continue operating your business. New data from Proofpoint discovered that 82% of UK businesses affected with ransomware chose to pay the ransom, while the UK’s National Cyber Security Centre (NCSC) and data protection regulator the Information Commissioner’s Office (ICO) recently issued a joint letter to the Law Society urging lawyers to warn their clients against paying cybercrime ransoms following a noted rise in ransomware payments.
“It been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case,” the NCSC/ICO wrote, suggesting that paying up could lead to a breached company being even more of pocket than if they do not. Payment does not guarantee decryption of networks or return of stolen data, nor does it lessen potential regularity fallout, they added.
Businesses can expect a ransom demand to be in the six figures or millions, depending on how big the company is, says Hicks, but research indicates that ransoms and payments are steadily rising. Palo Alto Network’s Unit 42 2022 Ransomware Threat Report found that the average ransom demand in 2021 was approximately $2.2 million, a 144% increase from the average demand of $900,000 in 2020, while average payment in cases worked by Unit 42 consultants climbed to $541,010, which is 78% higher than the previous year.
Insufficient security staffing leads to higher data breach costs
According to IBM’s 2022 report, 62% of the 550 breach-suffering organizations studied stated they are not sufficiently staffed to meet their security needs, averaging $550,000 more in breach costs than those that are. If insufficient security staff equates to greater data breach costs, organizations should heed Mellen’s warning about the impact a poorly handled data breach can have on employees. “If they don’t feel like the organization is able to protect them or customers in the event of a breach, or that they blame their employees for a breach, then they’re likely going to start looking for jobs elsewhere, because it creates a bit of a hostile environment for them,” she says.
Mellen cites the example of “blaming the intern” for a data breach incident, which is a sure-fire way to make people feel unsafe in their roles and like they are one step away from being used as the scapegoat, which could force them out the door. This can not only leave a business short of resource, but it also means they will need to fork out the costs involved in recruiting and onboarding new staff. “It is very important for organizations to recognize that they need to accept responsibility and protect both their employees and their customers,” Mellen adds.
Preparedness key to managing data breach costs
No matter the specific costs involved, experts agree that, ultimately, preparedness is key to managing the monetary repercussions of a data breach. “Faster incident response continues to be a clear driver for lowering the cost of a breach,” Dutile says. “The worst losses are those that go undetected for an extended time or have a slow or ineffective response.”
Modern cybersecurity requires a post-breach mindset which understands that, eventually, a successful data breach is going to occur, Mellen adds. “Operating under those conditions, you need to figure out how you’re going to handle that and build your resiliency to respond better and faster. This isn’t just about the security function either, and it needs to be spread across an organization, considering what marketing is going to do, what sales is going to do, etc. – how, as a business, you can demonstrate you value your customers and that you want to make it right as quickly and effectively as possible.”
Copyright © 2022 IDG Communications, Inc.