Data breaches affect all businesses and can impact everything from brand reputation to regulatory compliance. Additionally, the costs of a data breach can be ongoing for years, causing continued financial strain on companies as they seek to recover from losses and rebuild their reputations. Here’s a look at the current data on the cost of a data breach.
According to the Cost of a Data Breach Report 2020 from IBM and the Ponemon Institute, the average total cost of a data breach is $3.86 million, marking a 1.5% decrease from 2019 but a 10% increase over the past five years, indicating a continued long-term trend upward. Data breaches are most costly in the United States, where the average cost of a data breach is $8.64 million.
Heavily regulated industries tend to face higher costs, as well. In the healthcare sector, the average cost of a data breach is $7.13 million, while financial services companies face an average cost of $5.86 million per incident. In comparison, in industries with less stringent regulatory requirements, such as hospitality, the average cost of a data breach is $2 million.
In 2020, it took companies 280 days, on average, to identify and contain a data breach, which contributes to the overall cost. Companies can save an average of $1 million by identifying and containing a breach in less than 200 days. Companies that take even longer than 280 days face escalating costs; the Ponemon Institute found that 39% of the costs of a data breach are incurred more than one year following the breach.
With remote work on the rise due to the COVID-19 pandemic, identifying and mitigating data breaches could pose a bigger challenge for companies. The survey found that 76% of respondents believe that remote work could increase the time it takes to identify and contain a breach, resulting in an estimated impact of $137,000 on the total cost of a data breach. With cyber attacks such as ransomware on the rise during the pandemic, it’s vital for businesses to take steps to protect sensitive data, such as implementing cybersecurity awareness training, as employees work remotely.
The average cost of a data breach per record has decreased slightly from 2019, from $150 per record in 2019 to $146 per record in 2020 across all data breaches, according to IBM’s report. However, when records contain customers’ personally identifiable information (PII), the average cost per record in 2020 is $150.
For breaches resulting from malicious attacks, the cost per record is even higher, at $175 per compromised record. For data breaches that compromise anonymized customer data, the cost per record is $143, but when those breaches result from malicious attacks, the average cost per record of anonymized customer data is $171.
The cost of a data breach includes much more than recovering lost data. Under data protection regulations like GDPR and the California Consumer Privacy Act (CCPA), as well as industry regulations, companies that suffer a data breach may be subject to costly fines and penalties. These regulations may also require companies to notify consumers affected by a data breach within a specified time following the discovery of a breach, which adds to the total cost of a data breach.
A recent study published in Issues in Information Systems, "Economic Costs and Impacts of Business Data Breaches," explored the direct, indirect, and hidden costs and impact factors that contribute to the cost of a data breach, including:
It’s clear that the costs of a data breach extend far beyond the initial mitigation efforts, with far-reaching impacts on both consumers and businesses that can last for years.
Given the many direct and indirect factors that impact businesses and consumers following a data breach, it’s no surprise that the average cost of a data breach is so high. For many companies, the cost of a single data breach can be crippling, even resulting in permanent closure. However, there are ways to minimize your risk and reduce the potential cost of a data breach. IBM’s report found that companies with fully deployed security automation saved an average of $3.58 million on the cost of a data breach compared to companies with no security automation deployed. Likewise, companies with an incident response team that tested their incident response plans saved an average of $2 million on the cost of a data breach compared to those with no incident response team or testing.
Cyber insurance can also help companies recover from a data breach, offering coverage for costs such as business interruption income and expenses, regulatory fines and penalties, identity recovery, crisis management, and the cost of forensics and investigations. With today’s data breaches having far-reaching impacts and the cost of a data breach out of reach for many SMBs, there’s no better time to take a proactive approach to risk management and protect your business with comprehensive cyber insurance.