Breaches of corporate IT networks now happen all the time, every day, to just about every type of organization under the sun. They are a top worry for any compliance officer, and figuring out better ways to prevent them or recover from them is never far from a compliance officer’s mind.
But what does a data breach actually cost? Where does that number come from, and what is a compliance officer supposed to do with that piece of information when you have it?
We can assign a cost to the “average” data breach easily enough: $4.45 million, according to IBM’s Cost of a Data Breach Report for 2023. That’s up 2.3% from 2022’s costs, and up 27% from a decade ago when the average breach cost $3.5 million.
However, knowing those average numbers isn’t much help to compliance officers and risk managers. You need to know how to calculate the potential costs at your own organization. Only then — when you have a solid sense of how a breach might affect your business — can you develop sensible, risk-based compliance measures to push those costs down.
The art of estimating the cost of a data breach
Calculating the cost of a data breach — either an actual breach that has happened or potential breaches that could happen — is a critical capability for compliance functions.
For example, you might need to disclose the exact cost to investors, regulators, or business partners (remember that the Securities and Exchange Commission (SEC) just adopted new rules that require publicly traded companies to disclose more information about cybersecurity incidents, including costs). Understanding the cost of a breach can also help your compliance officer and other senior executives make better decisions about cybersecurity investments, like new technologies or new policies and procedures.
All that said, figuring out the cost of a breach is complicated. The overall number can be broken down into several components:
1. Direct financial costs
These are the clear, immediate costs that your company will need to pay. You’ll know what they are because, ultimately, your business will pay for them. They include expenses like:
- Notifying affected individuals and providing credit monitoring services to them
- Regulatory fines that a government regulator might impose
- Investigation and remediation costs for hiring specialists to identify exactly what went wrong and then paying for fixes like upgraded software
- Public relations costs if you have an especially public breach that attracts media attention
2. Indirect costs
These are expenses or lost revenue that clearly exist and will harm your business. However, you can’t determine their cost simply by looking at numbers on an invoice. For example, you might have system downtime that leaves employees unable to do their jobs or lost customers whose revenue you’ll never receive.
The best way to estimate indirect costs is to work closely with sales, HR, or other departments in your enterprise to model out the revenues or costs that arise from the normal operations of those functions.
For example, you can work with the HR team to calculate the average cost of certain employee categories (factory workers, researchers, marketers, sales executives, and so forth) to estimate the hourly cost of those employees doing nothing during a ransomware attack. You could work with sales teams to estimate the average dollar volume of sales per day that might be lost during downtime, or how much future revenue the company would lose if certain high-value customers departed forever.
3. Operational costs
You will also face operational costs, such as IT forensics to determine how the breach happened; incident response efforts, which might include informing outside parties or activating backup data centers; and IT restoration measures such as installing new or backup software.
Operational costs can be a blend of direct and indirect costs, depending on whether you hire outside teams to do the work or pull in-house employees away from the regular duties to help with the breach.
4. Reputational costs
Reputational costs are hard-to-calculate expenses that arise from your company’s tarnished reputation after a breach. For example, you might face higher customer acquisition costs, as skeptical sales prospects demand more evidence that you’ve improved your cybersecurity regime. You might suffer higher rates of customer turnover, or lower rates of successful sales. In the worst scenarios, critical business partners might cut ties with your organization and you’ll have to find replacements.
5. Long-term costs
These include higher insurance premiums, higher audit fees, compliance monitors, larger cybersecurity investments, and other expenses that might recur for years. Again, some of these costs will be clear, while others are hidden within “natural” costs, such as annual audits that now include demands for more evidence or testing.
To calculate the cost of a data breach, you’ll need to conduct a thorough analysis of each of the elements listed above. Typically that means the CISO will need to collaborate closely with your organization’s finance, legal, accounting, sales, and HR teams, and possibly other business functions as well.
One wise strategy is to develop a process for estimating the cost of a breach before a breach happens. You could even conduct a table-top exercise to walk through a mock breach, to identify which parts of the enterprise would be involved in cleaning up the damage. From there, draft a process that defines who would be involved in responding to a “typical” breach, including accounting codes or other devices to track the actual amount of money spent. Then you’ll be better prepared when the inevitable finally happens.
So, now you’ve evaluated the cost of your data breach. What do you do with that number?
Let’s assume you develop those relationships and processes so that you can estimate the cost of a data breach. What can a CISO do with that information? Why is knowing the cost of a data breach so important that it’s worth your time and energy to develop a process to do so?
Actually, knowing the cost of a data breach is hugely useful to a CISO; it can help you set a better cybersecurity strategy in all sorts of ways. For example:
1. Better regulatory compliance
In the United States, publicly traded companies must now inform investors whenever the company suffers a “material cybersecurity event” — and you can’t determine an event’s materiality without knowing the cost. Moreover, when you do need to disclose a breach to investors, you’ll need to disclose an estimate of the cost as well.
2. Better risk assessment and mitigation
When you know that certain cyber events are likely to be more expensive than others (say, a ransomware attack shutting down your customer fulfillment center, versus a theft of customer data), you can prioritize your protections against those more expensive threats. By focusing on the areas that pose the highest financial threat, your compliance program can allocate resources more effectively to mitigate those risks.
3. Better third-party risk management
Plenty of data breaches today occur through third-party vendors or other business partners you have. A better understanding of the potential cost of a breach gives you a stronger hand to demand better cybersecurity from your vendors, or more justification to implement stringent due diligence and contract requirements.
4. Better data governance
When you understand the cost associated with a data breach, you can stress the importance of robust data governance practices to the rest of the enterprise, such as data classification, encryption, access controls, and data retention policies. If those other parts of the enterprise balk at your data governance efforts, you can point to the breach cost and ask, “Shall we pay for this from your budget?”
5. Better insurance coverage
Cyber breach insurance coverage is a crucial part of every cybersecurity program, but such insurance doesn’t come cheap. When you have a clear understanding of the potential financial losses from a breach, you can better determine exactly how much insurance you need — or what measures to take to reduce the damage from a breach, so you can lower those insurance needs.
Equip yourself to make better business decisions
An ability to assess the cost of a data breach is critical for compliance officers, because that knowledge is a powerful tool to drive a better cybersecurity function. Knowing the cost of a breach can help you allocate resources more efficiently, navigate regulatory demands more skillfully, manage vendors and employees more deftly (or, when necessary, more forcefully), and set priorities more accurately.
In short, knowing the cost of a breach brings everything else in your cybersecurity program into sharper relief. That helps you make better decisions.
The bad news is that assessing the cost of a breach is seldom easy. You need to track or estimate a host of individual costs, not all of them apparent. So, invest the time now to develop a solid, tested process for estimating breach costs that you can activate when the need finally arises — because, sooner or later, arise it will.
Looking for more insight into how you can understand your organization’s data breach costs and implement risk-based compliance measures? Check out how compliance operations professionals are leveling up their risk responses to avoid becoming a breaking news story about another security breach in our 2023 IT Compliance Benchmark Report.