How much does a data breach cost? Here's where the money goes.

Deloitte finds “hidden” costs can amount to 90 percent of the total business impact on an organization, and will most likely be experienced two years or more after the event.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Few would dispute that cyberattacks are increasing in frequency and in intensity, and most organizations confirm they have now suffered at least one cyber incident. But do those organizations have a true sense of the full impact on the organization? After all, the direct costs commonly associated with a data breach are far less significant than the “hidden costs” incurred.

Indeed, the “hidden” costs can amount to 90 percent of the total business impact on an organization, and will most likely be experienced two years or more after the event. These are among the findings of a recent study by Deloitte Advisory entitled, “Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts.”

Deloitte identifies 14 business impacts of a cyberattack, which are categorized as “above the surface” or well-known incident costs, and “below the surface” or hidden or less visible costs. There are seven impacts in each category.

But Deloitte believes the current market valuation of cyber incidents is greatly underestimated, since the public focuses on the above the surface impacts – the far smaller percentage.

“Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet,” notes Emily Mossburg, a principal with Deloitte & Touche LLP and resilient practice leader for Deloitte Advisory cyber risk services. “An accurate picture of cyberattack impact has been lacking, and therefore companies are not developing the risk postures that they need.”

“Much of the conversation has been focused on what vulnerabilities exist and the technology impact,” Mossburg continues. “The focus seems to be focused very narrowly on the breach notification element and the post-breach protection mechanisms that need to be in place, but the broad impact seemed to be ignored.”

Deloitte analysts set out to get the broader picture of a cyberattack.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.