Data breaches and security incidents are becoming increasingly costly. Canadian lender Desjardins Group recently revealed it had spent C$70 million ($53 million) in the wake of a breach earlier in the year that exposed the personal information of 2.9 million members. Manufacturer Norsk Hydro said the final bill for its crippling cyber attack could be as high as $75 million. British Airways and Marriott have had to add $100 million each onto the final cost of their incidents after falling foul of GDPR.
While these examples are the most high-profile and extreme ends of the scale, the financial impact of suffering a data breach continues to increase year over year for companies of all shapes and sizes. The average cost of a data breach has risen to $3.92 million, according to a new report from IBM and the Ponemon Institute.
The report shows a 1.6% increase in costs in 2018 and a 12% rise over the last five years. This includes a combination of direct and indirect costs related to time and effort in dealing with a breach, lost opportunities such as customer churn as a result of bad publicity, and regulatory fines.
Data breaches are getting bigger and more expensive
Globally, just under 30% of organizations are likely to suffer at least one breach over the next 24 months. U.S. organizations face the highest costs with an average of $8.19 million per breach, driven by a complex regulatory landscape that can vary from state-to-state, especially when it comes to breach notification. In the UK the figure is slightly lower than the global average, at $3.88 million.
The size of the average data breach is now 25,575 records, an increase of 3.9% compared to 2018. The average breach size in the U.S. is higher at 32,434 and slightly lower in the UK at 23,600 (both figures up over 2018). Each record lost costs around $150 on average globally; in the U.S. that figure rises to $242 while in the UK the cost is $155 per record.
The final cost per record can be affected by factors relating to how well prepared an organization is and how well it reacts to a breach. A breach can create a customer turnover of 3.4%, slightly higher than last year and suggesting customers are becoming less accepting of security failures.
While the loss of thousands of records at a time is becoming common, Equifax-level breaches involving millions of records are still relatively rare. According to IBM, a “mega-breach” of 1 million records could cost a company $42 million – up from $40 million last year — while the loss of 50 million records might cost a company $388 million.
Given the highly sensitive and regulated nature of the data they manage, the health and financial sectors unsurprisingly face the largest costs per record: up to $429 in healthcare and $210 in finance. The level of regulation plays a big role in what a company will pay to recover from a data breach. Heavily regulated industries such as healthcare and financial services see average costs of $6.45 million and $5.86 million per incident, while less regulated industries such as retail and hospitality see average incident costs of under $2 million.
“With healthcare records, you’re actually going to get things like their entire medical history in some cases–the understanding that this person had a knee surgery last year and they’ve been gone going through physical therapy,” says Wendi Whitmore, director of X-Force Threat Intelligence at IBM. “You’re also typically getting a lot of additional personally identifiable information, the same type of information you would get from the from a credit card.”
Slow response to a data breach increases costs
Time is money and being slow to detect and contain a breach can be costly. According to the IBM report, it now takes a combined 279 days to identify and contain a breach, up from 266 in last year’s report. Speedy responses could be a massive cost saver. Companies able to detect and contain a breach in under 200 days spent on average $1.2 million less.
“Time really is money,” says Whitmore. “The more time an attacker has within an environment the more access they can get to different devices, different pieces of data, different accounts, and all of those that are things that we need to remove their access and limit their impact moving forward. That certainly drives the cost up.”
German and South African organizations are quickest at finding and containing breaches – a combined 170 and 226 days respectively – while companies in the Middle East (381) and Brazil (361) take the longest. Healthcare, public sector and entertainment organizations take the longest time to discover and contain a breach – all averaging more than 310 days – while the financial services, technology and research sectors were quickest at discovery and remediation.
For the first time, IBM and Ponemon this year looked at the “long tail” of data breaches and found that organizations are paying the price of a data breach for years afterward. Around 67% of the cost comes in the first year, around 22% comes in the next 12 to 24 months, and the final 11% comes more than two years later. Although an extreme example, Equifax recently agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission over its 2017 data breach.
“A lot of times the clients that we respond to will see a data breach as this one-time cost: ‘It’s going to be a huge outlay, but then moving forward we’ll go right back to business’,” says Whitmore. “But the reality is only about 67% that’s spent during that first year with that the remaining 33% incurred over the next two to three years–things like monitoring afterward or credit monitoring. Capital One, Equifax, if they have a large number of clients’ data credit records breached, then they’re responsible for that and that becomes an in an ongoing cost.”
Regulations and fines
With the introduction of GDPR and a host of copycat legislation appearing all over the world, compliance is becoming a significant part of the cost of a breach. “If you look at the U.S. alone, there are 52 different state privacy laws,” says Whitmore. “That means that when these breaches occur oftentimes most companies wouldn’t have people who are experts in each of those on staff. So, that’s something that they’re having to hire and outsource and make sure that they’re incurring those costs.”
Companies that aren’t willing to pay for the expertise to ensure compliance may well suffer regulatory fines, which are becoming increasingly steep. The Marriott hotel chain originally claimed its 2018 data breach had cost it around $28 million, the majority of which was covered by the company’s insurance. However, in July 2019 the UK’s data protection authority, the ICO, issued a $124 million fine to the company for GDPR compliance failures. An even bigger fine was issued to BA by the ICO the same week. With the threat of such large fines, companies should take a more proactive to data privacy to gain a more favorable view from regulators.
“We anticipate we’re going to see more of those, and those are likely going to significantly drive up the cost moving forward, and I think that really is going to dramatically kind of change the landscape of the investments that organizations make,” says Whitmore. “Ideally, that means that they’re making more proactive investments, and truly looking to prepare and rehearse and make sure that they can limit the impact of these records loss when it comes to these types of breaches.”
Data breach impact on stock price
In addition to material costs, publicly owned companies will likely see their stock value affected by data breaches as well. Comparitech analyzed the stock value of companies on the New York Stock Exchange in the aftermath of 33 data breaches of at least 1 million records and found that breaches don’t often have a longtail impact on company value.
Share prices of breached companies hit their lowest – around 7.3% down – around 14 market days following a breach and underperform the wider NASDAQ by -4%. While companies are likely to see their share price rebound and even rise ahead of the market average in the first six months after a breach, they are still likely to underperform on the NASDAQ by -6.5% 12 months later. As a recent example, in November 2019 Macy’s stock had dropped 11% in a single day after it disclosed a breach and suffered a “highly sophisticated and targeted data security incident…that affected a small number of customers during a one-week period in October.” However, by the end of December that year the company’s share price had recovered.
“Companies that leak highly sensitive data like credit card numbers, including Macy’s, typically see a steeper drop in share price than companies that leak less sensitive data,” says Paul Bischoff, privacy advocate at Comparitech.
“Our research shows companies see an initial drop in share price for about three weeks following a data breach, after which it recovers. Six months post-breach, most companies have fully recovered and even outperform the prior six months in terms of share price. Our analysis also shows more recent breaches have less negative impact on share price than older ones, a sign of breach fatigue among consumers who have grown accustomed to their data being stolen.”
How to reduce breach cost: Have a response plan
It’s a common refrain that suffering a data breach is almost inevitable, and so the best way to keep costs low is to be prepared for every eventuality. The report claims that companies had an incident response (IR) team and extensively tested their IR plan with at least two tabletop exercises that experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
“You shouldn’t just have a paper that says, ‘Here’s the contact information for the security team’, but actually rehearsing through these types of scenarios in an immersive environment where they can test out other plans, identify gaps, and then ideally contain those before they go through these attacks in real life,” says Whitmore.
Another important part is the public response. Losing customer trust ultimately leads to a loss of business, which can increase the overall cost of the breach. “A huge component of it is the communications in the aftermath of a breach and during a breach,” explains Whitmore. “How do we effectively get messaging out to our consumers or clients about what’s going on? Then these events can be an opportunity to build a lot of customers’ goodwill, and a lot of confidence when handled correctly, but that requires a lot of preparation and training in advance for these organizations.”
Companies such as Maersk and Norsk Hydro have shown that a regular stream of information in the aftermath of an attack can actually have a positive impact on a company long term. Both companies were lauded for their effective response and saw their share prices rise in the weeks that followed.
“We talk about the Maersk example pretty commonly,” says Whitmore. “They really took command of the situation. That CEO was engaged in social media, and ultimately that drove the share price up. It’s seen as a big success story when it comes to response.”
Expansive use of encryption, automating security wherever possible, and having an IR team can all reduce the potential cost of a breach, especially if IR teams and plans are tested regularly.
On the technical side, DevSecOps approaches, employee training, cyber insurance, and getting the board involved in security are also found reduce the cost of a breach by more than $100,000 each on average. Conversely, breaches originating from third parties, cloud migration, internet of things, or operational technologies can all drive the cost of a breach up by more than $100,000 each on average.
Whitmore’s main advice for keeping the cost of a breach down is proper visibility into your environment and ensuring robust and tested offline backups. “If we can reduce the time takes to identify a breach and contain it pretty significantly, then those organizations will not have such a high amount of records lost and ultimately, they’re not going to face the same level of fines that we’re seeing right now.”
“in cases of ransomware or destructive malware, we see that organizations lose access to their most critical data, and then they spend a lot of time trying to rebuild environments getting access to it again,” Whitmore continues. “I would recommend having offline backup of your most critical data.”