If you don’t have cyber insurance, you may want to consider including a line item for “cyber breach costs” in your next annual budget. Growing 40% last year alone,1 cyber breaches have become a reality for organizations large and small who are learning the hard way that if you don’t prepare for a cyber breach – or have the right coverage to back you – it will hit your balance sheet hard and could very well bankrupt you.
Some risk factors will make you more of a target, and there’s a chance you could pay a higher price for a cyber breach than others. Read on to learn why.
Top exposures that impact the cost of a data breach
First, consider your industry. Costs areas high as $402/record on average for healthcare breaches, as their data can demand a pretty price on the black market. For the most highly targeted industry, finance, records cost $264 on average, and when it comes to education, an increasing target for hackers because the number and types of records stored can be significant, costs $220/record. No industry is immune to an attacker's exploits, and no organization is too big or too small to become a target.
Adding to the risk, when your employees use personal smartphones to access company information, they can expand the attack surface of an organization, even increasing the potential for the cost of a data breach by almost 10% per year. That’s because as many as 3% of all mobile devices are infected with malware. With users having an average of 50 apps/device, they’re more susceptible to phishing attempts, hacking and password theft.
Your data store strategies are another area of concern when calculating the cost of a data breach. Storing your business’ data in the cloud can increase your risk of facing a costly cyber storm. While cloud migration is rapidly expanding for the collaboration and storage opportunities it affords businesses large and small, a third-party data host can introduce foreign threats and exposures to your data, as service providers can become a lucrative target due to the amount of data stored.
Finally, the total cost of a data breach will depend on how many confidential records your company stores. Think: customers, patients, students, employees; both active and archived records, digital and paper records. And, there can be variations of costs due to the mechanism of loss. For example, most data breaches continue to be caused by criminal and malicious attacks. These breaches take the most time to detect and contain, and as a result, have higher costs per record, due to the need to bring in a 3rd party computer forensics firm.
A Breakdown of the most common costs of a data breach
Regardless of how many records you’ve got, or the industry in which you conduct business, first party expenses are a given. Here’s the breakdown of breach costs, without a dedicated cyber policy.2 (HINT: A cyber policy covers all the following first party expenses).
Privacy Attorney – Cost: $700/hour
Necessary to keeping the impending forensic investigation protected under attorney-client privilege and to iron out the patchwork of state laws and federal regulators you’ll need to comply with, engaging a privacy attorney is your first step.
IT Forensics Investigation – Cost: Average of 55 hours; $475/hour
Currently the fastest growing post-data breach expense, the IT forensics investigation will determine the who, what, where, when and why you’ve been breached and is critical to ensuring the bad guys are gone.
PR Firm – Cost: $20,000
You’ll need professionals to set the strategy on your press and mitigate any reputational harm, both internally with employees and externally with clients.
Notification Costs and Call Center Set Up – Cost: $1875
You’ll have to notify breached individuals and provide them with access to credit card and ID Theft Monitoring.
Credit Card and ID Theft Monitoring – Cost: $11,500
Statistically speaking, while only 20% of affected individuals typically take advantage of this, you’re required to provide it, for 12 months in most states.
Regulatory Defense and Costs – Cost: $20,000 - 1.7 Million
Just about every federal agency is claiming data breach oversight these days. Depending on your industry and breach circumstances, you could be investigated, fined or formal proceedings could be initiated against your company post-breach - by any number of agencies, including any number of 50 states attorney general, the Department of Health and Human Services, the Securities and Exchange Commission, the Federal Trade Commission or the Federal Communications Commission.
Payment Card Industry – Cost: $387,500 for PCI investigations; $50,000 for card re-issuance
The payment card industry has its own regulatory body, made up of Visa, Mastercard, American Express and Discover, to investigate your data breach and assess you fines for each breached credit card number, assessments for fraudulent charges and credit card reissuance.
What’s YOUR Business’ Cyber Breach Cost?
The first party expenses and fines, incurred by businesses post-data breach – especially those small to mid-sizedbusinesses– are enough to put any organization in the red. Check out HUB’s new Cyber Cost Calculator to understand what puts your business most at risk for a breach and what your costs could be when the inevitable happen to you.
1 Identity Theft Resource Center.http://www.idtheftcenter.org/2016databreaches.html
2 Total average costs are based on a breach of 25,000 exposed records/identities.