Share this article on:
A new study suggests the cost of resolving breaches of sensitive information is far lower than previously thought. The costs are so low that for many companies there is little incentive to invest more funds to improve cybersecurity defenses.
Analyzing the cost of data breaches is a complicated business. There are direct costs associated with breaches that are easy to quantify: The printing and mailing of breach notification letters and the cost of providing credit monitoring services to mitigate risk for example. However, there are many unknowns. Lawsuits filed by breach victims may result in costly settlements, regulatory bodies may issue financial penalties, and lost business as a result of a breach is particularly difficult to quantify. To make matters worse, it is difficult to obtain data on which to base estimates.
A number of organizations have attempted to quantify actual costs with highly varied results. The Ponemon Institute regularly calculates the cost of data breaches. Its most recent study, published this summer, suggests the data breach cost has now risen to $4 million per incident.
In 2015, the Ponemon Institute calculated the cost of data breaches to be $217 per record in the United States; however, a study conducted by Verizon suggested the cost per record was actually $0.58 per record.
The latest study, conducted by the think-tank RAND and recently published in Journal of Cybersecurity, suggests the actual cost of data breach resolution may be closer to the Verizon study than the Ponemon cost estimates.
For the study, RAND researcher Sasha Romanosky analyzed 12,574 security events across a wide range of industry sectors. The data for the study was obtained from U.S. Insurance Analytics firm Advien for data breaches reported between 2004 and 2015.
The events included malicious and accidental security breaches, including disclosures of data, improper disposal, stolen hardware, insider theft, hacks and DDoS attacks, unauthorized data use, lost hardware, phishing attacks, espionage, fraud, and extortion. 60% of the security incidents were malicious in nature, half resulted in litigation, and 17% resulted in criminal prosecutions. Out of all industry sectors, healthcare came fifth for losses suffered behind information, manufacturing, retail, and finance.
The study suggests the cost of data breach resolution is around $200,000 for the average firm. That corresponds to 0.4% of annual revenues or the approximate annual spending on IT security.
The data breach costs are vastly different to those estimated by Ponemon. Romanosky suggests the Ponemon data are skewed by the high costs of resolving large data breaches, and the figures are therefore misleading. Romanosky pointed out, “the mean loss for a data breach is almost $6 million, the median loss is only $170k.”
If the estimates are accurate, there would be little incentive for firms to increase their cybersecurity budgets to prevent cyberattacks. Romanosky also says that at those levels there is also little incentive for firms to adopt the NIST cybersecurity framework.
However, for some industries, healthcare in particular, there is considerable potential for regulatory fines which can significantly increase data breach costs. Recent multi-million dollar OCR settlements show that increasing investment in cybersecurity defenses is still a wise decision.