Security breaches cost a lot of money. In the U.S., the average data breach costs $5.4 million. The average cost, globally, of a compromised record rose 9 percent in 2014 to $145; costs in the U.S. rose to $201 per record. The 2014 Target breach was estimated at a gross cost of $162 million, with a net cost of $105 million after reduction for insurance payments and tax deductions.
It was originally reported that the Anthem breach of 80 million patient records would cost over $100 million just to notify the victims and provide free identity-theft and credit monitoring. Altogether, the Anthem breach is estimated to have cost $31 billion, more than the federal government has spent to incentivize digital medical records since 2009.
For all the quantifiable costs, there is also a range of hard-to-measure costs like brand reputation, consumer loyalty, board and stakeholder relations, distraction from normal business activities, regulatory fines and potential class action lawsuits.
When a data breach happens there are 11 cost areas to consider:
1. In-house investigations: The immediate response to a breach requires the diversion of internal information technology resources to investigate the breach, take immediate damage control actions, and secure short-term security for all assets.
2. Forensic experts: An independent forensics team is usually engaged to investigate and determine how the system was breached, who was responsible internally or externally or both, what data was affected, and whether data was stolen and/or deleted and/or altered.
3. Vulnerability controls: Once vulnerabilities have been identified, the controls and safeguards that should have been in place to prevent the breach must be implemented.
4. Hotline support and notification: In order to avoid overly diverting resources from ongoing customer relations, companies typically outsource hotline support, development of incident response media, and first-class mail notifications to comply with federal regulations.
5. Free credit-monitoring subscriptions: This goodwill gesture may appease some customers, but others may still join class-action lawsuits.
6. Discounts for future product and services: Additional goodwill gestures to reinforce customer loyalty may include discounts on future products or services, gift cards and value-added services.
7. Customer churn and diminished acquisition: It can be difficult to quantify the number of customers lost to a data breach, but it is a logical consequence of tarnished brand trust.
8. Leadership turnover: Data breaches have resulted in the exit of senior executives as brands make public statements of accountability.
9. Regulatory fines: Fines and penalties vary by industry and by whether oversight is through the Federal Communications Commission (FCC), Federal Trade Commission (FTC), or Health and Human Services (HHS).
10. Class-action lawsuits: While most class-action lawsuits typically fail due to the difficulty of proving injury — especially future injury — companies can be forced to settle the suits at substantial costs.
11. Insurance premiums: Cyber liability insurance includes first-party and third-party coverage. First-party coverage applies to the breached company and the direct expenses it incurs — notifying clients, client credit monitoring, public relations, loss of business income and extortion. Third-party coverage applies to any lawsuits, penalties and settlements that arise from the breach.
Despite the massive costs of a data breach, some economists wonder if breaches cost enough to incentivize deeper investment in security. When Target’s publicly available breach-related costs were reported to its stockholders, they only amounted to 0.1 percent of its gross sales for 2014 and so no related loss of store revenue was reported.
Many firms have no internal consensus around appropriate security investments; however, three camps of opinion are apparent:
1. The Minimally Compliant Camp: Companies with security standards focused on minimal regulatory compliance cite overspending on security as irresponsible business practice. As regulation often lags advances in hackers’ strategies and security technology, this approach is primarily reactive to security breaches.
2. The Reasonably Secure Camp: With consideration for regulatory compliance and the current state of security threats, this moderate approach takes a responsive posture as it seeks to balance best practices with costs. Companies document critical discussion of their judgments about what is reasonable, what is probable, and the value/liability of different types of data. Their goal is to develop a comprehensive, intensely pragmatic, security strategy.
3. The Building-In Security Camp: The forward-thinking security community takes a predictive approach. It perceives compliance as a low-bar standard and current security threats as indicative of trends to anticipate. Drawing on the maturity model first used to improve quality assurance in the automotive industry, the Building Security in Maturity Model (BSIMM) community values defense-in-depth security initiatives built on the practices of industry-leading companies.
The BSIMM community understands security as an emergent property of the entire company system that is continuously monitored for progress on 112 activities. Seventy-eight companies are currently enrolled in the BSIMM. As they continually monitor their progress on 12 key practices, they can compare themselves not only to their own benchmarks but also to the progress of all the companies in the community. Rather than base security initiatives on hypothetical speculation about what they should be doing, these companies focus on the success of practices in which companies are actually engaged. Using a long-term, big picture, highly data-driven view, the companies strive to build in the best security protocols at every stage of software development and utilization. The BSIMM is a model for collaboration among companies across a range of industries, including financial services, telecommunications, technology firms, healthcare, retail, energy, Cloud and security services.
Brad Russell is research analyst at market research firm Parks Associates.