Data Breach – What’s the cost?


It’s a common question. Our clients are continually grappling with quantifying the actual cost of a potential data breach to their organisation, whether to understand risk profile, build a business case for investment plans, price cyber insurance and so on.

How do you do it and what factors should companies keep in mind? Firstly, there are a many industry statistics available which are useful as a reference point, be it from industry bodies, consultancies or vendors. Let’s start with a recent study from IBM which found that the average cost of data breach was up to $4m (from $3.8 in 2015), with the cost incurred for each record stolen increasing to $158 and a likelihood of a breach involving 10,000 lost or stolen records in the next 2 years at 26%.

These are significant numbers, but of course, as with all disclaimers “can go up as well as down” based on the respective business profile. So, what should organisations consider when and quantifying data breach risk? Here are some of the factors that we cover when assessing and assigning a cyber value at risk;

  • Size and Scale – naturally, the amount of data that an organisation processes is a key factor, but also other factors such as numbers of employees, business locations and currency can impact the data breach cost
  • Company profile – the type of business and data is one of the major factors in determining a value. If an organisations data is sensitive, such as private health information (PHI), personally identifiable information (PII), or payment card (PCI) then the impact can vary significantly in terms of regulatory fines and the like
  • Board Profile – not only will the company profile have an impact but also that of the board. From whether the business activities may draw unwanted attention to that of individuals themselves, it is important to understand the risk that this might engender
  • Operational Impact – what would be the impact of a partial or complete cessation of business operations over various time periods? These are normally easier to quantify and, in many organisations, should have been addressed to some extent through a Business Impact Assessment (BIA) as part of business continuity planning
  • Cause of breach – it is important, if possible, to understand the root cause of the breach whether externally targeted or internal though malicious activity, insufficient process, employee error or supply chain/3rd party (indeed, the latter are often the most difficult to manage and the costliest)
  • Breach Restoration – the material impact of restoring services, both in terms of the immediate resumption of business operations which may involve resource, software and hardware, but also the cost post breach to shore up any potential deficiency in people, process or technology
  • Forensics – data breaches can often be difficult to assess not only in terms of the impact but also the penetration and scale. Often, organisations will need to bring in a third party specialist to perform these activities, which can be at a significant cost. The value of this, alongside any cyber insurance, needs to be considered
  • Reputation and Disclosure – a difficult one to calculate pre-breach but nevertheless one which should be an input when determining a cyber value at risk. The impact of losing customer confidence in products or services to the bottom line (or the stock price). Historic data helps both in quantification and lessons learned as to how executives should react

By looking at these factors organisations can build as good a view as possible in terms of how much a data breach will cost. Each should be thought through carefully and weighted appropriately to give business leaders an assessment of the likelihood and impact. This also allows for a more targeted discussion regarding mitigating actions and subsequent investment profile.

It’s a difficult question to answer, but not impossible.

If you would like to understand your companies cyber at risk profile, please email

RSS Feed Subscribe to our RSS Feed

Posted on : 17-01-2017 | By : admin | In : Cyber Security, Data, Uncategorized

Tags: , , , , , , , , , , , , ,

Write a comment