Data breaches and security incidents are becoming increasingly costly. Canadian lender Desjardins Group recently revealed it had spent C$70 million ($53 million) in the wake of a breach earlier in the year that exposed personal information of 2.9 million members. Manufacturer Norsk Hydro said the final bill for its crippling cyberattack could be as high as $75 million. British Airways and Marriott have had to add $100 million each onto the final cost of their incidents after falling foul of GDPR.
These examples are the most high-profile and extreme ends of the scale, but the financial impact of suffering a data breach remains high for companies of all shapes and sizes. The average cost of a data breach in 2020 is $3.86 million, according to a new report from IBM and the Ponemon Institute.
The report shows a 1.5% decrease in costs from 2019 but still a 10% rise over the last five years. This include a combination of direct and indirect costs related to time and effort in dealing with a breach, lost opportunities such as customer churn as result of bad publicity, and regulatory fines. Though the average cost of a breach is relatively unchanged, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.
“The overall headline number stayed very similar to what we saw last year,” says Charles Debeck, senior threat analyst at IBM X-Force IRIS, “but if you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus orgs that didn’t.”
“This divergence has been increasing year over year; the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren’t engaging in these same practices are facing significantly higher costs.”
Data breach costs rising for unprepared organizations
US organizations face the highest costs with an average of $8.19 million per breach – up 5.3% on 2019 – driven by a complex regulatory landscape that can vary from state-to-state, especially when it comes breach notification. In the UK the figure has risen over 4%, to $3.9 million and is slightly higher than the global average after several years of tracking lower.
The average cost of each lost record has gone down slightly to $146 from $150 in 2019. The most expensive type of record to lose was customer PII records, which were involved in around 80% of breaches in the study. The least expensive record to lose was employee PII and was the least likely type of record to be lost in a breach.
Nearly 40% of the average total cost of a data breach stem from lost business –including increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation – increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study.
While the loss of thousands of records at a time is becoming common, Equifax-level breaches involving millions of records are still relatively rare. According to IBM, a “mega-breach” of 1 million to 10 million records cost an average of $50 million, while the loss of 50 million records might cost a company $392 million.
Most industries surveyed experienced an average total cost decline year over year, with the steepest drops coming in media, education, public sector and hospitality. However, healthcare (10.5%), retail (9.2%), and energy (14%) sectors saw an increase from 2019. The level of regulation plays a big role in what a company will pay to recover from a data breach. Heavily regulated industries such as healthcare and financial services see average costs of $7.13 million and $5.86 million respectively per incidents, while less regulated industries such as media and hospitality see average incident costs of under $2 million.
“Healthcare has been the number-one industry in terms of average cost of a data breach for ten years in a row now,” says Debeck. “It’s a highly regulated industry and faces a lot of regulatory burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.”
Debeck noted that the healthcare industry’s breach lifecycle is longer, averaging about 329 days compared to the overall average of 280 days. That leads to higher costs.
Ransomware costs can also be a significant consideration, especially around the decision whether to pay to retrieve data. According to The State of Ransomware 2020 report from Sophos, paying the ransom in any ransomware increases the overall cost of the attack. The report claims the global average to remediate a successful ransomware attack is $733,000 for organizations that don’t pay the ransom, rising to $1,448,00 for organizations that do pay. This is likely because there will still be signification remediation efforts even if data is returned in addition to the cost of the ransom. The report also suggests for those companies that paid the ransom and have insurance covered by ransomware it is almost always (94%) the insurance firm that foots the bill.
Slow breach response increases costs
Time is money and being slow to detect and contain a breach can be costly. According to the IBM report, it now takes a combined 280 days to identify and contain a breach, which is one day more than the 2019 report. As with the average cost, Debeck says while the average remains largely the same better prepared companies are much quicker at remediation than those that don’t put proper measures in place.
Speedy responses could be a massive cost saver. Companies able to detect and contain a breach in under 200 days spent on average $1.1 million less.
“Time really is money,” says Wendi Whitmore, director of X-Force Threat Intelligence at IBM. “The more time an attacker has within an environment the more access they can get to different devices, different pieces of data, different accounts, and all of those that are things that we need to remove their access and limit their impact moving forward. That certainly drives the cost up.”
National trends at containment remain unchanged from previous years; German, Canadian and South African organizations are quickest at finding and containing breaches – a combined 160, 226 and 228 days, respectively, while companies in the Middle East (380) and Brazil (369) take the longest. Industry trends also remain largely the same from previous years: Healthcare, public sector and entertainment organizations take the longest time to discover and contain a breach – all averaging more than 310 days – while the financial services, technology and research sectors were quickest at discovery and remediation.
The study also looks at the “long tail” of data breaches and found that organizations are paying the price of a data breach for years afterwards. Around 61% of the cost comes in the first year, around 24% comes in the next 12 to 24 months, and the final 15% comes more than two years later. Although an extreme example, in 2019 Equifax agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission over its 2017 data breach.
“A lot of times the clients that we respond to will see a data breach as this one-time cost: ‘It’s going to be a huge outlay, but then moving forward we’ll go right back to business’,” says Whitmore. “The reality is only about 67% that’s spent during that first year with that the remaining 33% incurred over the next two to three years–things like monitoring afterwards or credit monitoring. Capital One, Equifax, if they have a large number of clients’ data credit records breached, then they’re responsible for that and that becomes an in an ongoing cost.”
Regulations and fines
With the introduction of GDPR, CCPA and a host of copycat legislation appearing worldwide, compliance is becoming a significant part of the cost of a breach. “If you look at the US alone, there are 52 different state privacy laws,” says Whitmore. “That means that when these breaches occur oftentimes most companies wouldn’t have people who are experts in each of those on staff. So, that’s something that they’re having to hire and outsource and make sure that they’re incurring those costs.”
Companies that aren’t willing to pay for the expertise to ensure compliance may well suffer regulatory fines, which are becoming increasingly steep. The Marriott hotel chain originally claimed its 2018 data breach had cost it around $28 million, the majority of which was covered by the company’s insurance. However, in July 2019 the UK’s data protection authority, the ICO, issued a $124 million fine to the company for GDPR compliance failures. An even bigger fine was issued to BA by the ICO the same week. With the threat of such large fines, companies should take a more proactive to data privacy to gain a more favorable view from regulators.
“We anticipate we’re going to see more of those, and those are likely going to significantly drive up the cost moving forward, and I think that really is going to dramatically kind of change the landscape of the investments that organizations make,” says Whitmore. “Ideally, that means that they’re making more proactive investments, and truly looking to prepare and rehearse and make sure that they can limit the impact of these records loss when it comes to these types of breaches.”
Data breach impact on stock price
In addition to material costs, publicly owned companies will likely see their stock value affected by data breaches as well. Comparitech analyzed the stock value of companies on the New York Stock Exchange in the aftermath of 33 data breaches of at least 1 million records and found that breaches don’t often have a longtail impact on company value.
Share prices of breached companies hit their lowest – around 7.3% down – around 14 market days following a breach and underperform the wider NASDAQ by -4%. While companies are likely to see their share price rebound and even rise ahead of the market average in the first six months after a breach, they are still likely to underperform on the NASDAQ by -6.5% 12 months later. As a recent example, in November 2019 Macy’s stock had dropped 11% in a single day after it disclosed a breach and suffered a “highly sophisticated and targeted data security incident…that affected a small number of customers during a one-week period in October.” However, by the end of December that year the company’s share price had recovered.
“Companies that leak highly sensitive data like credit card numbers, including Macy’s, typically see a steeper drop in share price than companies that leak less sensitive data,” says Paul Bischoff, privacy advocate at Comparitech.
“Our research shows companies see an initial drop in share price for about three weeks following a data breach, after which it recovers. Six months post-breach, most companies have fully recovered and even outperform the prior six months in terms of share price. Our analysis also shows more recent breaches have less negative impact on share price than older ones, a sign of breach fatigue among consumers who have grown accustomed to their data being stolen.”
Remote working can make incidents more costly
COVID-19 changed how many organizations operate and turned remote working from a nice to have for some employees to a core requirement for almost the entire workforce. According to IBM, having a remote workforce increases the average total cost of a data breach of $3.86 million. Three-quarters of organizations that had enabled remote work said it would increase the time to identify and contain a potential data breach.
“The full implications remain to be seen,” says Debeck, “but undoubtedly organizations are now facing a lot of decentralization, new network structures that are potentially reaching out to private, unsecured, or unknown networks. Undoubtedly changing your network and endpoint environment complicates your incident response and security. Organizations need to re-evaluate their incident response plans and how their IR teams are reacting to security incidents.”
“A lot of organizations have testing plans in place but unless they’re tested we’re not going to know how well they’re going to work, and that’s especially true when you’re entire network infrastructure just shifted over the course of the last four months,” says Debeck. “The worst way to get experience at incident response is by having an incident, and the best way is to do it in a safe environment beforehand.”
How to reduce breach cost: Have a response plan
It’s a common refrain that suffering a data breach is almost inevitable, and so the best way to keep costs low is to be prepared for every eventuality. The report claims that companies had an incident response (IR) team that also tested an IR plan using tabletop exercises or simulations saw savings of $2 million compared to those than those that had no such measures in place.
“You shouldn’t just have a paper that says, ‘Here’s the contact information for the security team’, but actually rehearsing through these types of scenarios in an immersive environment where they can test out other plans, identify gaps, and then ideally contain those before they go through these attacks in real life,” says Whitmore.