• United States



UK Editor

What is the cost of a data breach?

Jul 31, 202313 mins
Data BreachSecurity

The cost of a data breach is not easy to define, but as more and more organizations fall victim to attacks and exposures, the financial repercussions are becoming clearer.

Digitization of United States currency  >   Digital transactions
Credit: Dem10 / Getty Images

For modern businesses of all shapes and sizes, the monetary impact of suffering a data breach is substantial. IBM's latest Cost of a Data Breach report discovered that, in 2023, the average cost of a data breach globally reached an all-time high of $4.45 million. This figure represents a 2.3% increase from the previous year and a 15.3% rise from 2020.

Factors such as incident type and severity, regulatory standards, company size, sector, and region can significantly affect how much a data breach could costs a business, but all organizations must carefully assess and prepare for the monetary hits that could be just around the corner should they fall victim. Some are potentially far more damaging (and less obvious) than others.

Factors that impact data breach costs

IBM's 2023 report cited several contributing components that affect data breach costs. For example, the average data breach in healthcare increased in 2023 to reach $10.93 million, the most expensive for any industry, while financial organizations recorded the second highest costs, averaging $5.90 million (down slightly from last year).

The average cost of a data breach for pharmaceutical organizations, in general, was $4.82 million. The top five countries and regions for the highest average cost of a data breach were: the US at $9.48 million, the Middle East at $8.07 million, Canada at $5.13 million, Germany at $4.67 million, and Japan at $4.52 million. The UK saw a significant drop in average cost at $4.21 million -- down 16.6% from last year -- placing just outside of the top five.

The 2023 research also showed that excluding law enforcement from ransomware incidents led to higher costs. While 63% of respondents said they sought the involvement of law enforcement, the 37% that didn't paid 9.6% more and experienced a breach lifecycle 33 days longer. Furthermore, security AI and automation were shown to be important investments for reducing costs and minimizing time to identify and contain breaches. Organizations that used these capabilities extensively within their approach experienced, on average, a 108-day shorter time to identify and contain a breach. They also reported $1.76 million lower data breach costs compared to organizations that didn't use security AI and automation capabilities.

Attacks that saw threat actors gain access to multiple cloud environments incurred a higher-than-average cost of $4.75 million, while organizations that reported low or no security system complexity experienced an average data breach cost of $3.84 million in 2023. Incident response (IR) planning and testing emerged as a highly effective tactic for containing the cost of a data breach. Organizations with high levels of IR planning and testing saved $1.49 million compared to those with low levels, the report said. Moreover, DevSecOps and employee training were the most effective data breach cost mitigators this year, saving organizations an average of $249,278 and $232,867 respectively, according to the report.

In 2023, organizations with more than 5,000 employees saw the average cost of a data breach decrease compared to 2022. In contrast, those with 5,000 or fewer employees saw considerable increases in the average cost of a data breach. Organizations with fewer than 500 employees reported that the average impact of a data breach increased by 13.4% from $2.92 million to $3.31 million. Those with 500--1,000 employees saw an increase of 21.4%, from $2.71 million to $3.29 million. In the 1,001--5,000 employee range, the average cost of a data breach increased from $4.06 million to $4.87 million, rising nearly 20%.

Reputational damage is still one of the biggest costs of a data breach

It's an old clich?, but you really can't put a dollar on customer trust, and a damaged reputation remains one of the most significant data breach costs for organizations, experts agree. "Ultimately, customer trust is very easy to break, and very difficult to build," Allie Mellen, senior analyst at Forrester, tells CSO.

Bob Dutile, chief commercial officer at UST, agrees. "The first and foremost concern is reputational impact, and the cost of a data breach is typically realized in relative competitive change in the marketplace," he says. "Companies find that their brand does not command the same price premium, customer conversion costs are higher, and market share is lost. For a public company, the near-term assessment of the cost impact is reflected in stock price movement."

Excluding the largest breaches and smallest ransomware attacks, Dutile says research shows that between $8 million and $10 million is a good planning number in the US for a medium-sized business facing a modest breach of under 250,000 records, and about one-third of this cost will be felt through the loss of business because of a damaged reputation.

"One particular cost that continues to have a major impact on victim organizations is theft/loss of intellectual property," Glenn J. Nick, associate director at Guidehouse, tells CSO. "The media tend to focus on customer data during a breach, but losing intellectual property can devastate a company's growth," he says. "Stolen patents, engineering designs, trade secrets, copyrights, investment plans, and other proprietary and confidential information can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company."

It's important to note that how a company responds to and communicates a breach can have a large bearing on the reputational impact, along with the financial fallout that follows, Mellen says. "Understanding how to maintain trust with your consumers and customers is really, really critical here," she adds. "There are ways to do this, especially around building transparency and using empathy, which can make a huge difference in how your customers perceive you after a breach. If you try to sweep it under the rug or hide it, then that will truly affect their trust in you far more than the breach alone."

Severe business downtime can cost millions

Business downtime can be significantly costly for a breached organization, depending on the level and extent of the downtime and how technology-dependent the firm is, Coalfire's field CISO Jason Hicks tells CSO. "Often a breach is not going to take a company completely offline, but it can happen. The more critical systems that are taken down, the more significant the cost."

Manufacturing tends to have the best metrics around this, as it's relatively simple to measure the cost per minute if an assembly line is down, Hicks says. "This can translate into millions of dollars a day for a large manufacturing company. This can be more nebulous for other industry verticals, but there are models to get a reasonable feel that can be applied to each vertical."

Regulation and litigation add to data breach costs

Increasingly strict data protection and privacy laws along with litigation are seeing a growing number of companies issued large fines, paying hefty settlements, and stumping up for legal fees following data breaches and non-compliance. This has played out several times recently. Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided the company violated the nation's network security, data security, and personal information protection laws.

Meanwhile, Amazon was penalized $877 million for breaches of GDPR cookie rules, T-Mobile agreed to pay $350 million to settle a consolidated class action lawsuit following a data breach from early 2021, and Google agreed to pay $60 million in penalties for misleading Australians users about obtaining location data.

IBM's 2023 report cited a difference of $1.04 million (23%) in data breach costs between high levels and low levels of noncompliance with regulations. Whether it's being penalized under data protection regulations, settling class action claims brought about by an individual or a group, or shelling out for legal representation/general counsel, the reality is that all businesses should plan for potential regulatory and litigation expenditure surrounding data breaches.

"Regulated industries suffer not only the immediate cost of responding to, containing, and remediating vulnerabilities but also the long-term effects of additional penalties from their regulatory bodies and legal settlements," Nick says. Highly regulated industries, such as healthcare and financial services, typically run one and two in order of cost per breach since they will pay more non-compliance fines than others, he adds.

"Investigation and adjudication often take years for the victim organization to reach a monetary settlement with affected parties." Legal costs are one of the largest expenditures organizations face in data breaches, Nick states. "Organizations rarely have the legal and privacy expertise in-house. To ensure compliance, they must hire outside counsel to lead their reporting."

Rising cyber insurance prices leave organizations struggling to afford cover

While data breach costs associated with damaged reputation, business downtime, and regulation/litigation remain significant, they are nothing new. A more recent trend is a sharp increase in the costs of cyber insurance premiums due to the frequency and severity of breaches, along with hefty ransomware payments.

According to research from Huntsmen Security, the number of organizations unable to afford adequate cyber insurance cover is expected to double in 2023. This is a result of insurers increasing premium prices to better reflect the risks organizations face. "Some organizations have reported post-breach increases in premiums of approximately 200%," Nick says.

Along with making premiums more expensive, insurers are also implementing more coverage limitations, meaning that even with a policy in place, businesses could find themselves financially responsible for certain breach-related costs. This means, in addition to pricier premiums, companies also need to plan funding to cover any limitations or exemptions written into policies. IBM's latest report listed insurance protection as the least common investment after a breach (18%) saving organizations an average of $196,452 in data breach costs.

Mellen tells CSO the cyber insurance landscape is still evolving but any notion that policies will allow organizations to fully recover financially from a cyberattack is folly. "In reality, it's not going to cover all of the costs associated with any type of cyberattack, and we see some insurance firms not even covering ransomware at this point as part of their payouts," she adds.

Another factor to consider is that cyber insurance providers typically now have a list of approved service providers such as lawyers and forensics firms, Hicks says. "If your preferred provider is not on their list, you may have to work with them to get them included, or potentially have to change providers. This can be costly, as firms are often leveraging their existing service providers to secure the maximum discounts based on the volume of work done with the partners. Also, if for some reason you can't get them added, you could end up having to pay the costs directly versus having your insurance cover it."

Organizations are increasingly open to paying large ransoms

On the topic of ransomware, evidence suggests that companies are increasingly open to paying ransoms as part of their breach response, even setting aside millions of dollars for this purpose. "One of the first questions that I often get is, should we set up a Bitcoin wallet to prepare for having to pay ransom?" Mellen tells CSO. "At the end of the day, a ransomware attack can be an existential event for a company if their backups are not in a secure place or are not up to date, so they 100% do prepare for the reality of having to pay the ransom."

Threat actors are ultimately looking to determine an amount a business might be prepared to pay to continue operations. Recent data from ExtraHop indicate that 83% of businesses affected by ransomware in 2022 chose to pay a ransom at least once.

IBM's 2023 report found that organizations that paid the ransom during a ransomware attack achieved only a small difference in total cost at $5.06 million compared to $5.17 million, a cost difference of just 2.2%. However, this calculation doesn't include the cost of the ransom itself, and given the high cost of most ransomware demands, organizations that paid the ransom likely ended up spending more overall than those that didn't, according to IBM. The data indicated that paying a ransom has become increasingly less advantageous overall, with an 82.5% decrease in savings from the 2022 to 2023 reports.

Insufficient security staffing leads to higher data breach costs

According to IBM's latest report, the security skills shortage is one of the biggest data breach cost amplifiers, with the average cost of a breach for organizations with high levels of security skills shortages being $5.36 million. If insufficient security staff equates to greater data breach costs, organizations should heed Mellen's warning about the impact a poorly handled data breach can have on employees. "If they don't feel like the organization is able to protect them or customers in the event of a breach, or that they blame their employees for a breach, then they're likely going to start looking for jobs elsewhere because it creates a bit of a hostile environment for them," she says.

Mellen cites the example of "blaming the intern" for a data breach incident, which is a surefire way to make people feel unsafe in their roles and like they are one step away from being used as the scapegoat, which could force them out the door. This can not only leave a business short of resources, but it also means they will need to fork out the costs involved in recruiting and onboarding new staff. "It is very important for organizations to recognize that they need to accept responsibility and protect both their employees and their customers," Mellen adds.

Preparedness is key to managing data breach costs

No matter the specific costs involved, experts agree that, ultimately, preparedness is key to managing the monetary repercussions of a data breach. "Faster incident response continues to be a clear driver for lowering the cost of a breach," Dutile says. "The worst losses are those that go undetected for an extended time or have a slow or ineffective response." Modern cybersecurity requires a post-breach mindset which understands that, eventually, a successful data breach is going to occur, Mellen adds. "Operating under those conditions, you need to figure out how you're going to handle that and build your resiliency to respond better and faster. This isn't just about the security function either, and it needs to be spread across an organization, considering what marketing is going to do, what sales is going to do, etc. -- how, as a business, you can demonstrate you value your customers and that you want to make it right as quickly and effectively as possible."

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author