What is the cost of a data breach?

December 16, 2020 •

Data breaches affect commercial enterprises and customers alike; businesses lose credibility while potentially facing class-action lawsuits, whereas consumers can be victims of identity theft or payment fraud. In the case of businesses, apart from the bad press and regulatory headaches caused by a data breach, the financial implications can bleed the business dry for years to come.

So, what is the actual cost of a data breach? We have some numbers.

What is the average cost of a data breach?

According to the Cost of a Data Breach Report 2020 prepared by IBM and Ponemon Institute, the global average cost of a data breach is $3.86 million, which goes up to a monumental $8.64 million as the average cost for companies in the United States – numbers that can potentially put large enterprises under duress and compel smaller businesses to close up shop.

The report also includes information on how data breaches impact industries. Heavily regulated industries tend to face greater costs because of the sensitive and confidential nature of the data. E.g., the sector with the highest average cost of a data breach is healthcare at $7.13 million, which dwarfs other industries with less stringent regulatory requirements wherein the average cost amounts to $2 million.

Although the large numbers apply to companies of all sizes, small businesses are increasingly a target for cybercriminals, especially ransomware attacks, and they now routinely see costs around $200,000, which is enough to put many- who don’t have adequate protection- out of business.

Furthermore, a data breach takes an average of 280 days to identify and contain, which only compounds the costs. We would like to think that if we get hacked, we’d know it right away, but as the numbers show, in most cases the company doesn’t discover the breach until much later. It is also important to note that the pandemic-induced work-from-home culture can significantly increase the time required to identify and mitigate a data breach, resulting in an incremental escalation of data breach costs by $137,000.

The report further argues that businesses can save an average of $1 million if a data breach can be identified and contained in less than 200 days. If a business takes longer than 280 days, the report found that 39% of a data breach costs are incurred a year following the breach – as the adage goes, “the early bird catches the worm”; when it comes to getting hacked, the “early bird” might save themselves from going out of business.

What are the types of costs related to a data breach?

After the promulgation of data protection regulations like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and industry-specific rules concerning consumer protection, businesses exposed to data breaches may be subject to costly fines and penalties. A recent study by researchers from the University of Maryland and Robert Morris University aggregated the direct and indirect costs of data breaches for both the business and consumers:

Company data breach costs
Table 1, page 165

Due to the sensitive nature of the information, businesses must inform the consumer of any breach that affects their data, and failure to do so may result in further fines. These, along with immediate data breach costs, are relatively short-term costs. The real punch to the gut comes in the form of long-term expenses, i.e., class-action lawsuits, damage to reputation, the decimation of consumer confidence, erosion of market capitalization, and loss of business opportunities.  The report states: Indirect costs are often latent, hidden, and difficult to recognize and measure. For example, research shows that the probability of banking customers ending business relationship with their banks increases significantly in the six months following a fraudulent transaction or security breach.”

How can the cost of data breaches be reduced?

For many businesses, the cost of a single data breach can result in enormous financial strain or even permanent closure. However, there are ways for businesses to mitigate risks involving a data breach.

Security Automation and Cybersecurity Response

Companies with a fully deployed security automation system can save an average of $3.58 million compared to a company with limited or no deployment of the security automation system. Even small businesses with few resources can implement a small business cybersecurity plan. Likewise, companies with an incident response team can reduce the financial burden by an average of $2 million. But no kind of security automation can fully ensure the prevention of data breaches because malicious attacks are in constant evolution, and not all data breaches are a consequence of external actors; some occur due to non-compliance with internal guidelines (or lack thereof) by the employees.

Cyber Liability Insurance

Cover your costs and get help from experts when you need it with cyber insurance. Cyber coverage has gone from an innovative insurance product for early adopters to an absolute necessity for companies large and small. Small businesses are increasingly the target for ransomware attacks due to having weak cyber defenses. Larger corporations with plentiful resources and strong security are frequently found in the news regarding cyberattacks. Cybercriminals are continually evolving their capabilities to dismantle new defenses and the best way to get protected from financial ruin is with insurance.

Case Study: Marriott International

To put things in perspective, let us consider the Marriott’s data breach costs.

Marriott revealed a massive data breach at the end of 2018 (the actual infringement took place in 2014) that saw data of more than 500 million records of its global customers compromised. Initially, the Information Commissioner’s Office (ICO), the UK data protection watchdog, fined Marriott to the tune of $123 million for the breach, which was later settled for $23.8 million in 2020 after years of protracted negotiations – nevertheless, a hefty sum. Furthermore, Marriott faced the wrath of Turkey’s Personal Data Protection Board (KVKK), which further fined it to the tune of $265,000 for the violation, underscoring how a single data breach can result in multiple fines globally.

But the real question is how much Marriott is going to pay? The answer is less than $1 million.

But how? A cyber insurance policy.

Regardless of the form of risk, insurance is the most effective way to cover costs. By opting for cyber insurance, enterprises can recover costs associated with business disruptions, regulatory fines and penalties, crisis management, and the cost of forensics as well as investigations. With the increasing use of digital software in day-to-day operations and the widespread acceptance of digital payment methods, there has never been a more opportune time to take a proactive approach to risk management and protect a business from cyber threats – it pays to pay your cyber insurance premiums, just ask Marriott.

You might be surprised to learn how affordable cyber coverage can be. Small business only pay for the coverage they need. Get an instant quote with our online cyber liability application.