How much does a data breach cost? That’s one of the first and most elemental questions that an executive at any company would ask – especially in the face of a large outlay for security software or services.
It’s a seemingly simple question, and one that would seem to be easy to answer. For each piece of data that a company loses – a credit card number, piece of customer data, or spreadsheet – what are the costs to the organization in terms of fines, lost business, cost to recover the data, and so on? After all, with a firm grasp on the cost to the business, executives can get a better handle on the potential downside of a data breach. That will help them justify the cost of preventing it.
It turns out, however, that this simple question is very difficult to answer. And the latest data on cyber insurance claims released by the firm NetDiligence only underscores the difficulty of calculating breach costs.
NetDiligence’s 2015 Cyber Claims Study, released on Wednesday, analyzed 160 cyber liability claims for incidents that occurred between 2012 and 2015. Of those, 104 specified the number of records exposed. 132, or 83%, involved an insurance payout of some kind. Some of the events were recent, meaning that claims may be outstanding.
The survey puts the average cost per record lost at an impressive $964.31. That’s a big number. By that measure the breach at Anthem, which affected some 78 million individuals, would cost that firm around $76 billion. Considering that Anthem only has a market capitalization of $35 billion, and certainly wouldn’t have been able to buy insurance for 100 times its value, that breach should have put the company out of business.
However, looking at average costs is misleading when talking about data breaches, because theft of even a small amount of the right types of data can be very expensive. As proof, the company notes that the median cost per lost record was just $13. That would put the cost to Anthem of its breach at a still expensive, but much more manageable $1 billion. But even that smaller number is likely off – and maybe by a factor of 10 or more. Reports last spring noted that the health insurer carried breach insurance from AIG totaling $100 million (or about $1.30 a record). While there were fears that the cost of Anthem’s breach could exceed its coverage, nobody has put the price tag anywhere close to the $13 per record (or $1 billion) mark. In other words… never mind!
“The industry appears to have reached a consensus that using a standard per-record cost to estimate total breach cost is problematic,” NetDiligence notes, diplomatically.
More specifically, while the number of records lost directly affects certain costs related to a breach – such as the cost of notifying victims – its correlation to other items (such as fines) is “indirect,” while there is no correlation at all to those factors that account for most of the cost of a breach, such as forensic investigation and legal fees. “Relatively small breaches can incur significant costs for legal guidance, forensic investigation, regulatory fines, etc.,” NetDiligence observes. “For this reason, high per-record costs are possible regardless of breach size.”
The message for companies is mixed. On the one hand, because the size of a breach may not correlate with the cost to recover from it, organizations that experience huge losses may be able to recover without paying costs commensurate with the size of the breach. On the other hand, NetDiligence’s data makes clear that breaches – of any size – are expensive. And, just as important, the expenses are related to issues that don’t necessarily track to the amount of data exposed: “crisis management,” forensic investigations, legal costs and regulatory fines.
In short: cyber incidents and data breaches are expensive – period. The best and most prudent course of action is to simply avoid them.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
