Know the Potential Cost of a Data Breach at Your Organization
pCompliance OperationsppRisk ManagementppAudit ManagementppCustomer SuccessppTestimonialsppIntegrationsppSOC 2ppISO27001ppNIST SP 80053ppNIST CSFppGDPRppFedRAMPppHIPAAppCMMCppPCI DSSppCustomppSee all frameworks ppLearn about Hyperproof Customer SuccessppRead BlogppBlogppWebinarsppeBooks Guides and ReportsppGlossaryppCommunityppWorkshopsppToolsppFramework ResourcesppCompliance ToolkitppComplete Guide to NIST Cybersecurity Framework NIST 80053 and NIST 800171ppAbout UsppWork for HyperproofppContact UsppNewsppSecurityppWe are hiring extraordinary peoplepp Matt KellyppLast Updated on Nov 21 2023 8 Minute Read ppBreaches of corporate IT networks now happen all the time every day to just about every type of organization under the sun They are a top worry for any compliance officer and figuring out better ways to prevent them or recover from them is never far from a compliance officers mindppBut what does a data breach actually cost Where does that number come from and what is a compliance officer supposed to do with that piece of information when you have itppWe can assign a cost to the average data breach easily enough 445 million according to IBMs Cost of a Data Breach Report for 2023 Thats up 23 from 2022s costs and up 27 from a decade ago when the average breach cost 35 millionppHowever knowing those average numbers isnt much help to compliance officers and risk managers You need to know how to calculate the potential costs at your own organization Only then when you have a solid sense of how a breach might affect your business can you develop sensible riskbased compliance measures to push those costs downppCalculating the cost of a data breach either an actual breach that has happened or potential breaches that could happen is a critical capability for compliance functions ppFor example you might need to disclose the exact cost to investors regulators or business partners remember that the Securities and Exchange Commission SEC just adopted new rules that require publicly traded companies to disclose more information about cybersecurity incidents including costs Understanding the cost of a breach can also help your compliance officer and other senior executives make better decisions about cybersecurity investments like new technologies or new policies and procedures ppAll that said figuring out the cost of a breach is complicated The overall number can be broken down into several componentsppThese are the clear immediate costs that your company will need to pay Youll know what they are because ultimately your business will pay for them They include expenses likeppThese are expenses or lost revenue that clearly exist and will harm your business However you cant determine their cost simply by looking at numbers on an invoice For example you might have system downtime that leaves employees unable to do their jobs or lost customers whose revenue youll never receive ppThe best way to estimate indirect costs is to work closely with sales HR or other departments in your enterprise to model out the revenues or costs that arise from the normal operations of those functions ppFor example you can work with the HR team to calculate the average cost of certain employee categories factory workers researchers marketers sales executives and so forth to estimate the hourly cost of those employees doing nothing during a ransomware attack You could work with sales teams to estimate the average dollar volume of sales per day that might be lost during downtime or how much future revenue the company would lose if certain highvalue customers departed foreverppYou will also face operational costs such as IT forensics to determine how the breach happened incident response efforts which might include informing outside parties or activating backup data centers and IT restoration measures such as installing new or backup software ppOperational costs can be a blend of direct and indirect costs depending on whether you hire outside teams to do the work or pull inhouse employees away from the regular duties to help with the breachppReputational costs are hardtocalculate expenses that arise from your companys tarnished reputation after a breach For example you might face higher customer acquisition costs as skeptical sales prospects demand more evidence that youve improved your cybersecurity regime You might suffer higher rates of customer turnover or lower rates of successful sales In the worst scenarios critical business partners might cut ties with your organization and youll have to find replacementsppThese include higher insurance premiums higher audit fees compliance monitors larger cybersecurity investments and other expenses that might recur for years Again some of these costs will be clear while others are hidden within natural costs such as annual audits that now include demands for more evidence or testingppTo calculate the cost of a data breach youll need to conduct a thorough analysis of each of the elements listed above Typically that means the CISO will need to collaborate closely with your organizations finance legal accounting sales and HR teams and possibly other business functions as well ppOne wise strategy is to develop a process for estimating the cost of a breach before a breach happens You could even conduct a tabletop exercise to walk through a mock breach to identify which parts of the enterprise would be involved in cleaning up the damage From there draft a process that defines who would be involved in responding to a typical breach including accounting codes or other devices to track the actual amount of money spent Then youll be better prepared when the inevitable finally happensppLets assume you develop those relationships and processes so that you can estimate the cost of a data breach What can a CISO do with that information Why is knowing the cost of a data breach so important that its worth your time and energy to develop a process to do so ppActually knowing the cost of a data breach is hugely useful to a CISO it can help you set a better cybersecurity strategy in all sorts of ways For exampleppIn the United States publicly traded companies must now inform investors whenever the company suffers a material cybersecurity event and you cant determine an events materiality without knowing the cost Moreover when you do need to disclose a breach to investors youll need to disclose an estimate of the cost as wellppWhen you know that certain cyber events are likely to be more expensive than others say a ransomware attack shutting down your customer fulfillment center versus a theft of customer data you can prioritize your protections against those more expensive threats By focusing on the areas that pose the highest financial threat your compliance program can allocate resources more effectively to mitigate those risksppPlenty of data breaches today occur through thirdparty vendors or other business partners you have A better understanding of the potential cost of a breach gives you a stronger hand to demand better cybersecurity from your vendors or more justification to implement stringent due diligence and contract requirementsppWhen you understand the cost associated with a data breach you can stress the importance of robust data governance practices to the rest of the enterprise such as data classification encryption access controls and data retention policies If those other parts of the enterprise balk at your data governance efforts you can point to the breach cost and ask Shall we pay for this from your budgetppCyber breach insurance coverage is a crucial part of every cybersecurity program but such insurance doesnt come cheap When you have a clear understanding of the potential financial losses from a breach you can better determine exactly how much insurance you need or what measures to take to reduce the damage from a breach so you can lower those insurance needsppAn ability to assess the cost of a data breach is critical for compliance officers because that knowledge is a powerful tool to drive a better cybersecurity function Knowing the cost of a breach can help you allocate resources more efficiently navigate regulatory demands more skillfully manage vendors and employees more deftly or when necessary more forcefully and set priorities more accurately ppIn short knowing the cost of a breach brings everything else in your cybersecurity program into sharper relief That helps you make better decisions ppThe bad news is that assessing the cost of a breach is seldom easy You need to track or estimate a host of individual costs not all of them apparent So invest the time now to develop a solid tested process for estimating breach costs that you can activate when the need finally arises because sooner or later arise it will ppLooking for more insight into how you can understand your organizations data breach costs and implement riskbased compliance measures Check out how compliance operations professionals are leveling up their risk responses to avoid becoming a breaking news story about another security breach in our 2023 IT Compliance Benchmark ReportppMonthly NewsletterppppMatt Kelly is editor and CEO of RadicalCompliancecom a blog and newsletter that follows corporate governance risk and compliance issues at large organizations it includes the Compliance Jobs Report a weekly update on compliance professionals moving around the industry He also speaks on compliance governance and risk topics frequentlyppKelly was named as Rising Star of Corporate Governance by Millstein Center for Corporate Governance in inaugural class of 2008 and named to Ethispheres Most Influential in Business Ethics list in 2011 no 91 and 2013 no 77 In 2018 he won a Readers Choice award from JD Supra as one of the Top 10 authors on corporate complianceppKelly previously was editor of Compliance Week a newsletter on corporate compliance from 2006 through 2015 He lives in Boston Massachusetts and can be reached at mkellyRadicalCompliancecom or on Twitter at compliancememeppSee more of Matt work pp113 Cherry St PMB 78059Seattle Washington 98104pp833 497 7663 infohyperproofioppSolutionsppProductIntegrationsFrameworksppResourcesppBlogResource LibraryGlossaryppHyperproofppAboutCareersPressSecurity and TrustMain Subscription AgreementPartner Program BenefitsContactppCurrent CustomersppLog Into HyperproofSupportHelp CenterDeveloper PortalStatus Pagepp 2023 Copyright All Rights Reserved HyperproofppPrivacy Cookies Terms of UseppCompliance OperationsppRisk ManagementppAudit ManagementppCustomer SuccessppTestimonialsppIntegrationsppSOC 2ppISO27001ppNIST SP 80053ppNIST CSFppGDPRppFedRAMPppHIPAAppCMMCppPCI DSSppCustomppSee all frameworks ppLearn about Hyperproof Customer SuccessppRead BlogppBlogppWebinarsppeBooks Guides and ReportsppGlossaryppCommunityppWorkshopsppToolsppFramework ResourcesppCompliance ToolkitppComplete Guide to NIST Cybersecurity Framework NIST 80053 and NIST 800171ppAbout UsppWork for HyperproofppContact UsppNewsppSecurityppWe are hiring extraordinary peoplep