“If you protect your paper clips and diamonds with equal vigor, you will soon have more paper clips and fewer diamonds.”
– Dean Rusk, former US Secretary of State
Do you know how much your organization stands to lose if it were to suffer a data breach?
Even the legendary Warren Buffet has recently admitted that Berkshire Hathaway cannot properly assess the probabilities of ‘computer hacking threats’, saying: “Cyber is uncharted territory. It’s going to get worse, not better.”
If you could confidently put a number to the risk of a potential data breach – and act on it by taking the reasonable precautions – you could save your organization millions.
The Estimates
Estimating an organization’s cyber risk requires knowledge of “business models, operational processes, trends, maturity levels, and vulnerabilities” (Deloitte) specific to the organization and the industry.
Fortunately, in a study to approximate the costs of data breaches, Deloitte’s industry analysts modeled a realistic scenario where 2.8 million records of Personal Health Information (PHI) were stolen from a multi-billion-dollar healthcare insurance provider, via a software vendor. Deloitte’s projected costs for this single data breach are broken down as follows:
| Cost Item | Time Span | Dollar Value | % of Total |
| Visible Costs | |||
| Post-Breach Customer Protection | 3 years | $21 million | 1.25% |
| Cybersecurity Improvements | 1st year | $14 million | 0.83% |
| Customer Breach Notifications | 6 months | $10 million | 0.6% |
| Attorney Fees & Litigation | 5 years | $10 million | 0.6% |
| Regulatory Compliance (HIPAA Fines) | 1 year | $2 million | 0.12% |
| Public Relations & Crisis Communications | 1st year | $1 million | 0.06% |
| Technical Investigations | 1.5 months | $1 million | 0.06% |
| Sub-Total | $59 million | 3.52% | |
| Hidden Costs | |||
| Lost Contract Revenue (Premiums) | 5 years | $830 million | 49.43% |
| Lost Customer Relationships (Members) | 3 years | $430 million | 25.61% |
| Devaluation of Trade Name | 5 years | $230 million | 13.7% |
| Cost to Raise Debt | 5 years | $60 million | 3.57% |
| Insurance Premium Increases | 3 years | $40 million | 2.38% |
| Operational Disruption | immediate | $30 million | 1.79% |
| Lost Intellectual Property | not included | — | — |
| Sub-Total | $1.62 billion | 96.48% | |
| Total | $1.679 billion | ||
Note three important points from this cost analysis:
- at over 96%, the most significant costs of the total business impacts on the organization would be hidden costs over the course of several years;
- the cost of lost intellectual property is not included, so it is not necessarily zero;
- Deloitte’s calculations assume that the breach was identified only five days after the initial compromise; however, studies find that security breaches can take an average of 190+ days to uncover, during which time attackers can infiltrate further into the network and do more damage, increasing the costs of remediation.
The Reality
“The true costs of an incident response appears, from our point of view, to be well beyond industry statistics,”
– Theresa Payton, former White House CIO
The fact that such high percentages of total costs are hidden costs makes for an extremely challenging feat to measure the true costs of data breaches with precision. Even studies conducted independently by research institutes, with the best of intention and integrity, can only provide estimates. The reality is that the actual costs are undoubtedly much more than the numbers reported.
A security study conducted by global communications firm Edelman found that 71% of global consumers would switch providers if their current provider were to suffer a data breach.
In another example, the 2014 Yahoo data breach that exposed 1 billion user accounts devalued the company by $350 million in brand equity, reflected in Verizon’s proposed price of acquisition.
Further, Yahoo took 3 years to fully disclose the data breach. Most cyber attacks are not discovered until at least 6 months after the attack.
The Remedy
Although quantifying the damage of data breaches remains a challenge, studies have made it extremely clear what we can do to mitigate the impacts of cyber attacks.
Of many, one study conducted by the Ponemon Institute concluded that “Risk assessments and CISOs with enterprise-wide responsibility are considered the most important governance practices to achieve cyber resilience.” This statement refers to two important points that support cyber resilience:
First, the study elaborates on risk assessments:
The most important governance activities are those that help organizations understand their security posture, which is considered important to cyber resilience. These are performing risk assessments to evaluate IT security posture (95 percent of respondents) and establish metrics to evaluate the efficiency and effectiveness of IT security operations (86 percent of respondents).
Second, the concept of CISOs with enterprise-wide responsibility reinforces our point on the increasing need for companies to Centralize by Design to yield greater control and efficiencies across the organization.
The Exercise
Always up for the challenge of attempting the impossible, we’ve analyzed the analyses and developed a ”Cost of Data Breach” calculator to help you begin to estimate the costs of a potential cyber attack on your organization, depending on the security systems (or lack thereof) in your IT environment.
The estimates, of course, fluctuate according to an array of factors, from country and industry to attack type. However, estimating these numbers with accuracy can become such an intimidating task that many shy away from these important discussions.
In the form that follows, we have simplified the factors to those you can answer relatively easily. Once you submit the form, we will evaluate the important variables for you to give you a better idea of how much a data breach could cost you. To learn more, you can contact us to discuss how an appropriate data breach response platform helps to drastically mitigate your risks.
Sources
The Third Annual Study on the Cyber Resilient Organization. Ponemon Institute. March 2018.
2017 Cost of Data Breach Study. Ponemon Institute. June 2017.
Beneath the Surface of a Cyberattack: A Deeper Look at Business Impacts. Deloitte. 2016.
2017 Cost of Cyber Crime Study. Ponemon Institute, Accenture.
Incident Response Reference Guide. Microsoft.
