<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Calculating The Cost Of A Data Breach: Factors You Should Keep In Mind

Melissa Stevens | October 31, 2016

A recent IBM study found that the average cost of a data breach has hit $4 million—up from $3.8 million in 2015. There are countless factors that could affect the cost of a data breach in your organization, and it’s virtually impossible to predict the exact cost. You might be able to estimate a range with the help of a data breach calculator, but no single tool is perfect. 

“Yes” or “no” questions won’t help you better understand your cybersecurity posture—but actionable metrics will.

Therefore, in this article, we’ll focus on a number of factors you should keep in mind—before your company experiences a data breach.

Calculating The Cost Of A Data Breach: Factors You Should Keep In Mind12 Cybersecurity Metrics

Location, Type Of Currency, & Company Size 

Even simple things like exchange rates of the currency your business predominantly uses can impact the cost of an information security breach. If you’re a small shop that deals with limited (or no) customer data, the cost of a data breach may be significantly lower than what a larger corporation may experience.

Industry & Type Of Data Or Records Held

The type of data lost in a breach is one of the largest factors in what it will cost you. If you only lose email addresses, it’s probably not going to be as big of a payout as if you lose personally identifiable information (PII), sensitive customer data (like social security numbers), payment card information, private health information (PHI), etc. The more sensitive the record is, the more costly the breach will be. For example, if you lose payment card information, you may need to offer free credit monitoring to those affected. Or, if you’ve compromised customer health data, you may be subject to regulatory fines from governmental agencies.

The Root Cause Of The Breach

The root cause of a breach can certainly influence the number or type of records lost, which correlates to cost. For example, was the breach caused by a third party? In a recent study, the Ponemon Institute found that “breaches involving third-party organizations remained the most costly.” Reducing your third-party cyber risk through continuous monitoring can help offset these potential costs.

See Also: The 4 Most Important Vendor Risk Management Principles For Security Managers

Operational Costs

If you’re breached, this could slow, disrupt, or completely halt your operations. For example, if you’re a retail business, it could mean a loss in sales. If you’re a service business, it could mean the loss of the ability to provide customer support.

Breach Aftermath

If a company suffers a data breach that is the result of poor security practices, it may want to double down on its security investments—which will come at a cost. Some hardware or software may require replacement or security upgrades post-breach. And some organizations may realize they are understaffed with security professionals and need to hire a new IT professional, CIO, or CISO.  

Investigation Costs

If you need to bring in a third party to investigate your data breach—or even the FBI—these services will cost you up to six or seven figures, depending on the size of the attack.

Public Disclosure

If people are no longer willing to use your services or purchase your product after a large data breach, your bottom line, stock price, and company reputation could all be at stake.

Class-Action Lawsuits

If you experience a class-action lawsuit as the result of a data breach, the cost will clearly be driven up. It also means that the breach that occurred was significant—i.e., many records were compromised and customers were put in some kind of very difficult situation.

Sales Or Mergers

The cost here could simply be the value of the business itself if you’re in the process of an M&A deal. For example, after the massive Yahoo breach, the value of the company is now in flux. Verizon is still assessing the valuation of Yahoo and determining if it’s going to follow through with the deal.

See Also: Takeaways From Yahoo’s 500-Million-Account Breach

In Conclusion

As you’ve likely heard before, no data breach is completely preventable. But, in addition to having a good security posture, there are a few things that can reduce your costs should a breach occur. Cyber insurance—which can cover some cost of an information security breach—is a worthwhile investment given the scope of cyber risk.

Download Guide: 12

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...


Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...


New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.


Subscribe to get security news and updates in your inbox.