7 Types of Breach Costs; Things to Consider When Estimating Impact
Considering some recent large scale data breaches on this great visualisation:
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- Home Depot is now running at $250m direct costs.
- Target over $150m
- Anthem expected > $100m
- JP Morgan > $250m / year in increased security spending and costs
- eBay lost or saw a reduction in activity in 15% of users and reduced annual revenue forecasts by $200m
When collating this I observed an interesting pattern. There are certain costs that are similar between them, but there were also other distinct classes of costs that depend much more on the specifics of the business...and only some of them are going to be covered by insurance (and then limited in total payout).
- Direct breach costs - notifying customers, identity theft protection, contractors and consultants for breach containment, analysis, and recovery.
- Lost revenue – hard to predict but given the extensive outage, damaged relationships, and loss of confidence that can occur it could be significant. Defections, attrition, and loss of customers at contract renewal, as well as more difficulty securing new business all add up. It's likely eBay recovered many of it's lost users gradually over time - but they still expected it to hit their total revenue by 1% ($200m) in 2014. The B2C market is also likely more forgiving than the B2B market.
- Lost Trade Secrets and IP - could in the longer run impact on (2) above. Of course this is industry dependant but in some sectors could have long lasting financial or national security repercussions.
- Information security investment, a fire-sale investment in security tooling, consultants, resourcing etc. Complicated overlapping programs of work, a lot of expensive external consultants and contractors. Hiring in skills to avoid time taken to train, and to save face. Much of this will be recurring costs in software licence support contracts and salaries. It will also often impede responsiveness and agility - especially if rushed in.
- PR campaign in a desperate bid to reassure, retain customers, and protect brand value - and in order to combat (2) above and driving the need for (4).
- Regulators - are getting more power to hit businesses with larger fines. For example the EU proposal is considering fines up to 5% of global revenue for non-compliance.
- Lost Productivity - last, but by no means least, there's an immense opportunity cost. What value-adding activities would all the staff working on remediation, damage limitation, and reputational salvage have been working on? Is it going to delay product launches and updates, or technology refreshes? Perhaps it will even cost first mover advantage in a field, or delay cost and efficiency savings. (Thanks to Lance for pointing out this one in the comments)
Even a year ago it was sometimes hard to justify financially the investment in information security required to protect people's data; though of course there's also a moral duty. That is changing, as highlighted by the examples above. Opinions on this differ, this article doesn't believe we are there yet, however it looks at revenue - whereas it is perhaps better to consider profit. And however big the organisation, if you don't look after the millions, the billions can't look after themselves...
As data is pooled and concentrated, breaches are bigger, and costing more; regulators are getting bigger sticks, and top management are getting fired. It is now starting to make moral and financial sense to invest in a holistic security program to reduce your exposure.
breaches are bigger, and costing more; regulators are getting bigger sticks, and top management are getting fired. Tweet This
Are there other classes of costs I've missed? Let me know in the comments below.
Cheers
Andy
Want more news and thoughts on Information Security and emerging Science and Technology? Then please consider following me on twitter or LinkedIn by clicking the follow button above. You may also be interested in some of my previous posts.
@andy_boura
Technology, science, and business geek: Information Security Architecture, Risk Management, Software Development, Entrepreneurship, Business & Management.
Cyber Security Leadership and Strategy | CISO
9 年Lance, take Anthem - 80,000,000 records - cost $100m. Think the reports you mention overstate the cost per record on large breaches... $1.25 / record in Anthem's case.
Cyber Security Expert ??Cyber Psychology ??Podcaster??International Speaker??Fraud Investigator
9 年Andy have you seen the Verizon report with the cost breakdown per record loss? It helps to provide more understanding about aligning vulnerabilities which cause data loss to an associated cost per record. At the moment these costs are early days and as I have seen figures ranging from $50 - $200 in the Verizon report. In an Experian report they have mentioned £104 for the UK market but I am not sure where and how this estimation has been achieved. Good article though.
Cyber Security Leadership and Strategy | CISO
9 年Updated with opportunity cost - thanks Lance.
Cyber Security Leadership and Strategy | CISO
9 年Lance, good catch, I would include the cost of monitoring services in the direct breach related costs (the bit that tends to be insured based on my limited understanding of the cyber insurance market). The impact on productivity and ongoing projects is indeed a completely different class of cost. As this is relative to the breached organisation the impact on the users would be seen via the brand damage and lost business. I will update the article when I get a moment. Thanks for the input.
Cyber Security Expert ??Cyber Psychology ??Podcaster??International Speaker??Fraud Investigator
9 年Andy the only other thing I can think of is indirect costs of staff for cleanup and restoration of service by either paying overtime or time in lieu and how this affects operations and project related work. Depending on current work streams all efforts will be concentrated on restoring services as fast as possible. The follow up of RCA is also eating into time to learn from mistakes. The other item I can think of is cost to the business for protecting lost user data by paying for financial monitoring services nevermind the personal cost to the people who are impacted by this loss. A lot of these issues can be prevented by heading the warnings that are coming up from these breaches.