Skip to main content
Security Scorecard

What is the Average Cost of a Data Breach?

Posted on August 6th, 2020

You may think that you can’t afford advanced cybersecurity, but the truth is that, in our modern business world, you can’t afford not to institute the right processes, people, and tools to keep your company safe from cyber threats. Remaining complacent may seem tempting, but this complacency will catch up to you, resulting in financial loss and damage to your reputation that you may not bounce back from. Being proactive in addressing your cybersecurity will ensure that your company can have a brighter future.

The 2020 Cost of a Data Breach Report from Ponemon Institute and IBM Security revealed that the cost of a data breach declined slightly to $3.86 million compared to 2019’s $3.92 million. However, the report is quick to note that despite this decline, the evidence shows a growing divide between organizations with more advanced security processes and those with less advanced security postures.

What impacts the cost of a data breach?

There are a number of different factors that influence the cost of a data breach. Below, we’ve outlined the top aspects to keep in mind when determining your cyber risk management strategy:

1. Your industry, company size, and the types of data you carry

Your industry and company size has a major influence on the cost of a data breach. Heavily regulated industries experienced significantly higher total costs than less regulated industries. Large financial services organizations have an obligation to protect critical data like personally identifiable information, social security numbers, and payment card information (PCI). Likewise, the healthcare industry is made to protect equally sensitive patient information and private health information. The healthcare and financial services industries consistently both maintain strong positions as industries with the highest costs. However, the energy sector chimed in this year as the industry with the second-highest average total costs. In essence, if your industry is sizable and houses highly sensitive data, both the potential and cost of a data breach increase when compared to smaller industries that carry less sensitive data.

2. Risks associated with third-parties

The Ponemon Institute found that the most expensive data breaches stem from third-party organizations. Focusing on third-party cyber risk management and continuous monitoring can help offset these potential costs. Additionally, vulnerabilities in third-party software caused 16% of data breaches, meaning that companies need to focus on third-party vendor management and installing security patches to third-party software.

3. Legal and investigative costs

If the breach causes enough damage to your organization, you may need to contract a third-party to investigate the breach. This can cost your organization a considerable amount of money. Further, a significant breach can lay the foundation for a class-action lawsuit which will result in your organization having to pay for legal fees and potential payouts.

4. Business fall out associated with a breach

When an organization experiences a data breach, they need to issue a public disclosure to alert stakeholders and consumers of potential compromise. Public disclosures could result in a loss of trust in your organization and cost money in lost revenue and investment. Additionally, breaches have the ability to disrupt or completely stop business operations which can lead to losses in sales or the inability to assist customers and fulfill service agreements. In both scenarios, the breached organization suffers losses due to a decline in consumer confidence.

5. Potential losses associated with M&A

If your organization is in the process of an M&A deal during a period of the breach, business values could be affected. This could have either a negative or positive effect on costs depending on whether your organization or the company to be acquired was affected. If the company you are acquiring was affected, you will likely be able to renegotiate at a lesser price. However, if your organization was affected, this could result in losses.

6. Key factors impacting the average cost of a data breach

Four key factors reduced the overall average cost of a data breach: incident response testing, business continuity planning, the formation of an incident response team, and using an AI platform. The four key factors that increased the cost of a data breach were moving to a remote workforce, lost or stolen devices, Internet of Things (IoT)/Operation Technology (OT) impacted, and third-party data causing a data breach.

7. CISOs are held responsible but not involved in decisions

While not including CISOs in the decision-making process, organizations continue to hold them accountable for data breaches. 46% of respondents said that the CISO would be held responsible for a data breach, yet only 27% said that the CISO is most responsible for setting policies and making technology decisions.

8. Organizations leverage insurance coverage

51% of organizations with cyber risk insurance used their coverage to recoup consulting and legal services. 36% of the recovered costs applied to paying victims and 30% focused on managing regulatory fines.

9. Misconfigured cloud servers increase costs

In 19% of malicious attacks, misconfigured cloud servers were the initial threat vector. Cloud misconfigurations increased the average cost of a data breach by more than $500,000.

10. Use of automated security solutions continues to increase

The percentage of organizations with fully deployed security automation solutions increased from 15% in 2019 to 21% in 2020. The value of security automation continues to prove itself out as organizations save an average of $3.58 million for a data breach when using a fully deployed security automation compared to those organizations with none.

Preventing data breaches and financial ramifications with SecurityScorecard

When attempting to determine the potential cost of a data breach for your organization, it is important to consider the factors listed above. Taking preventive steps like enacting third-party risk management programs, obtaining cyber insurance, and continuously monitoring your cybersecurity ecosystem can help your organization avoid a breach or better deal with the fall out should one occur.

SecurityScorecard’s platform assigns A-F security ratings that reflect your cybersecurity posture in real-time. Security Ratings also provide you with instant and continuous visibility into your vendor’s cyberhealth.

Additionally, SecurityScorecard allows you to continuously monitor compliance across your entire ecosystem and embrace compliance due diligence to ensure your third-party partners are compliant as well.

SecurityScorecard enables organizations to address vulnerabilities in real-time and improve cyberhealth across the entire business.

Return to Blog
Join us in making the world a safer place.