This post was originally published October 31, 2016 and has been updated for accuracy and comprehensiveness
A recent study by Radware and Merrill Research found that the average cost of a data breach has spiked significantly, increasing from $3 million per incident in 2018 to $4.6 million in the first half of 2019 alone.
There are countless factors that could affect the cost of a data breach in your organization, and it’s virtually impossible to predict the exact price tag. You might be able to estimate a range with the help of a data breach calculator, but no single tool is perfect.
“Yes” or “no” questions won’t help you better understand your cybersecurity posture—but actionable metrics will.
Calculating The Cost Of A Data Breach: Factors You Should Keep In Mind
Several factors come into play when determining the precise data breach costs that organizations may incur. Understanding these costs and how and why they arise can help you better understand cyber risk and put in place the appropriate cybersecurity controls and best practices to mitigate a breach and the associated financial impacts.
1. Location, Type of Currency, and Company Size
Even simple things like exchange rates of the currency your business predominantly uses can impact the cost of a cybersecurity breach. If you’re a small shop that deals with limited (or no) customer data, the cost of a data breach may be significantly lower than what a larger corporation may experience.
2. Industry and Type of Data or Records Held
The type of data lost in a breach is one of the largest contributing factors to the cost of a data breach.
The loss of email addresses may not involve as big of a payout as the loss of personally identifiable information (PII), sensitive customer data (like social security numbers), payment card information, private health information (PHI), etc. The more sensitive the record is, the more costly the breach will be. For example, if you lose payment card information, you may need to offer free credit monitoring to those affected. Or, if you’ve compromised customer health data, you may be subject to regulatory fines from governmental agencies.
3. The Root Cause of the Breach
The root cause of a breach can certainly influence the number or type of records lost, which correlates to the cost of a data breach. For example, was the breach caused by a third-party? In a recent study, the Ponemon Institute found that “breaches involving third-party organizations remained the most costly.” Reducing your third-party cyber risk through continuous monitoring can help offset these potential costs.
See Also: The 4 Most Important Vendor Risk Management Principles For Security Managers
4. Operational Costs
If you’re breached, this could slow, disrupt, or completely halt your operations. For example, if you’re a retail business, it could mean a loss in sales. If you’re a service business, it could mean the loss of the ability to provide customer support.
5. Breach Aftermath
If a company suffers a data breach that is the result of poor security practices, it may want to double down on its security investments—which will come at a cost. Some hardware or software may require replacement or security upgrades post-breach. And some organizations may realize they are understaffed with security professionals and need to hire a new IT professional, CIO, or CISO.
6. Investigation Costs
If you need to bring in a third-party to investigate your data breach—or even the FBI—these services will cost you up to six or seven figures, depending on the size of the attack.
7. Public Disclosure
If people are no longer willing to use your services or purchase your product after a large data breach, your bottom line, stock price, and company reputation could be at stake.
8. Class-Action Lawsuits
If you experience a class-action lawsuit as the result of a cyber-attack, the data breach cost will clearly be driven up. It also means that the breach that occurred was significant, typically involving the compromise of many records with critical customer impacts.
9. Sales or Mergers
The cost here could simply be the value of the business itself if you’re in the process of an M&A deal. For example, after the massive 2016 Yahoo breach, the value of the company went into flux and Verizon renegotiated its deal to purchase the company for millions under the original asking price.
See Also: Takeaways From Yahoo’s 500-Million-Account Breach
Calculating Data Breach Cost: The Bottom Line
As you’ve likely heard before, no data breach is completely preventable. But, in addition to having a good security posture, there are a few things that can reduce your costs should a breach occur.
Cyber insurance—which can cover some cost of an information security breach—is a worthwhile investment given the scope of cyber risk. However, cyber insurance is not a catch-all. Organizations still need to be proactive in their approach to security, less insurance fails to adequately cover their risk exposure and data breach costs. Organizations must show the insurers, the Board, and other stakeholders that they’re serious about security by implementing a prolonged and proactive approach to cyber risk management.