How much does a data breach cost? Understanding the costs—and why some breaches cost more than others—can help your financial institution mitigate the financial risks of a data breach.
A data breach costs $242 per lost record in the United States, according to the 2019 Cost of a Data Breach Report by IBM and Ponemon Institute which studied 507 organizations that had a breach over the past year. (The cost globally is $150.)
This includes costs of detecting and responding to the breach, notifying consumers, and legal fees. Then there’s the loss of customer trust. The study attributed 36 percent of the cost to lost business, with “abnormal” customer turnover of 3.9 percent.
The cost of a data breach can stretch for years. In highly regulated industries like financial services and healthcare, companies incurred 53 percent of data breach costs the first year, 32 percent in the second year, and 16 percent going forward from there, IBM/Ponemon found.
Not accounted in the IBM/Ponemon study is the impact to the stock price.
In a Comparitech study of 28 publicly traded companies that have collectively experienced 33 “massive” data breaches of 1 million or more records, it found data breaches have a long-term negative effect on stock prices. Stock values take the hardest hit in the first month after a breach and then recover, but underperform the NASDAQ by -13.27 percent after three years. This impact is amplified for payment and finance companies since they tend to leak highly sensitive financial data.
Which Breaches Cost the Most?
The financial impact of a breach depends on many factors, but two of the most significant are:
The average data breach costs a company $3.92 million, but breaches caused by third-parties cost an average of $4.29 million—about 10 percent more, IBM/Ponemon found.
About half of all breaches are the result of malicious cyber attacks. Another quarter is caused by human error, such as when someone falls for a phishing scheme, while the last quarter is caused by system glitches. The most expensive type of breach is also the most common: malicious attacks.
Source: IBM/Ponemon Institute
How to Control the Cost of a Data Breach
These insights can help your institution ensure it has controls in place to help limit the financial risk of a data breach. They include:
Early detection. The sooner a breach is discovered and addressed, the less it ends up costing a company. Breaches that take less than 200 days between occurrence and remediation cost 37 percent less than when it takes more than 200 days, according to IBM and Ponemon. (Part of the reason breaches caused by malicious attacks cost more is it takes longer for them to be discovered.)
Business continuity management (BCM). Strong BCM can reduce the cost of a breach. BCM after a breach cut data breach costs by about seven percent, the study found.
A well-tested incident response plan. Companies that use tabletop exercises or other simulations to test their incident response plans often catch breaches sooner. The study found that breaches cost $1.23M more when a company lacks an incident response team or tested plan.
Understand cyber insurance coverage. What does your cyber insurance cover? What do your third-parties’ cyber insurance cover? Understanding what type of coverage your institution has can help your team estimate the cost of a potential breach and whether more coverage is needed.