In July 2019, CNN reported that one hacker was able to access at least 100 million Capital One accounts and credit card applications. The hack included 140,000 social security numbers, a million social insurance numbers, and more than 80,000 bank account numbers.
The breach also gave the hacker a long list of names, credit scores, addresses, credit limits, and other personal information.
According to CNBC, the hack will mean that the bank will pay around $100 million to $150 million this year.
Not the first
Capital One is not the first company to have suffered significant monetary losses from a data breach. Adultery website Ashley Madison paid $11.2 million to roughly 37 million users who were affected by a data breach on the site in July 2015.
Anthem paid $115 million to settle with complainants when they suffered from a data breach that same year. That’s not all. These companies also have to pay fines and penalties for the breach. They also have to endure several regulatory bills.
For instance, Anthem was fined around $16 million for the breach by the US Department of Health and Human Services.
The data breach at Equifax involved close to 150 million people, and it cost the company $575 million. A similar incident cost Uber $148 million, but the total cost was substantially higher because the company also paid the hacker money to keep mum about the attack.
These incidents happened before Europe implemented the General Data Privacy Regulation (GDPR). Companies dreaded the GDPR coming into full effect because of the potentially huge fines.
British Airways became the face of hefty GDPR fines when it fell victim to a card skimming script that harvested the data of around 500,000 customers over two weeks. The airline paid $230 million for its lax security.
But while the numbers are staggering, you might wonder how the company and regulators have been able to put a dollar value on these attacks.
Determining the cost of a cybersecurity event is not always easy
When your house gets robbed, it’s easier to estimate the financial loss. For instance, if a burglar was able to cart away a television, pieces of jewelry, and cash, you can itemize what was taken and check their current market value.
With a cyber-incident, it is not so clear-cut. Yet news reports about a data breach, hacking, or any other form of cyberattack, there is always a dollar value attached to these incidents.
A Radware and Merrill Research study estimates a data breach will cost a company an average of $4.6 million in 2019. Have you ever wondered how they came up with these numbers?
Some interesting facts about the cost of a cybersecurity incident
Did you know that if you have an incident response team in place, you could significantly lower the penalties you will have to pay? On average, you can save around $360,000 if you invest in such a team.
The use of encryption will help you save around $360,000. On average, it takes companies 279 days to detect and contain a data breach. The hacker will have been inside your system for 35 days before you get alerted of the incident.
If you can detect a breach and contain it within 200 days or less, you can save $1.2 million.
Here’s something that you might not realize. The expenses are not usually upfront. Only 67 percent of costs will happen within the first year. Around 22 percent will occur in the second year. Another 11 percent of the expected costs will occur beyond the second year.
Why would you want to calculate the cost of a cybersecurity incident anyway?
When it comes to your business, you should always have a good idea of the risks that you face. Knowing the cost of a cybersecurity incident can help you better prepare for it.
Imagine suffering from a data breach and not having the money for compensation, investigation, and regulatory penalties, says Sidd Gavirneni, Co-Founder and CEO at Zeguro. A thorough assessment of your business and IT risk will help you earmark some money in the budget to recover quickly from this incident. What’s more, it will help you justify your IT budget. If the risks and costs are too high, as is the case for most small and midsize businesses, consider investing in a better cybersecurity infrastructure and cyber insurance or data breach insurance for added protection.
Or will the price of new equipment or software be more than what you will spend if your business gets hacked?
How do you calculate the cost of a cybersecurity incident?
There are three components involved in data breaches.
1. First are the direct costs. These are the expenses you incur in dealing with the breach. Examples include the cost of fines, investigation, and compensation to the affected users.
2. Then you have the indirect costs that include the lost time and effort in dealing with the attack. For instance, after the attack, you are required to communicate the breach to your customers. Or when you need to issue new credit cards, accounts, and credentials to your users. You also have to account for the lost productivity and system downtime as you make sure the damage from the breach or hack is kept to a minimum.
3. Lastly, you have the lost opportunity cost. Lost opportunity cost includes the potential customers that are now afraid to do business with you because of the breach. Your company’s reputation will take a hit.
Factors to consider in your computations
There are several factors that you should consider when calculating the cost of a cybersecurity incident.
The fines and penalties associated with a cybersecurity incident will depend on what caused it. A hacking or a stolen device will get you a mild penalty. However, data leaked by an insider, whether it’s done maliciously or by mistake, will net you a heftier fine.
Also, you can expect to pay more if it took you a long time to detect the breach. This is because the hackers had a wider window to steal more data from your systems. It will also be more difficult to investigate.
You can also add the number of people affected to your list of considerations. Large-scale attacks are naturally more expensive because you have to compensate every user affected by the breach. You will also need to spend more when you deal with subject matter experts, lawyers, regulators, and other professionals who can help you clean up the mess afterward.
Other considerations
Aside from these factors, there are also some situations that can increase or decrease the cost of a cybersecurity incident.
- For instance, if it is your first time, then you can expect lower costs. However, if you have suffered through a data breach within the past 24 months, you will need to pay for additional penalties for the second and subsequent breaches.
- Network complexity is also a factor. If you have a lot of resources, devices, and software connected to your network, then you will need more money to investigate the incident.
- Another expense that you should anticipate? The public relations and information campaigns that will help assure customers that their data is safe.
- The type of information that was leaked will also determine your cybersecurity incident’s bill. Health information is costly when it leaks. You will also pay more for financial details and personal information.
- Location matters, too, as fines and regulations are different from one state to the other.
- Having an advanced security system in place will also help you negotiate a lower penalty for any data breaches.
Summing It All Up: The questions you need to answer
This checklist of questions will help you remember the factors to consider when you want to assess the expenses associated with a cybersecurity incident.
- What records were breached? Does it include customer information only or employees as well?
- How many records were breached?
- What types of records were exposed? Were there personal information, credit card details, or health data?
- How was the attack carried out? Is it a case of accidentally releasing the data, device theft, or hacking?
- Did you have a breach within the past two years?
- How complex are your network and other IT resources?
- Will it hit the news? If yes, how big will the coverage be? Will it show on national or regional news broadcasts?
- Do you follow the security best practices?
Let’s Make It Easier: The Tools You Can Use
While all of these may seem daunting now, you will need to learn how to come up with accurate estimates of your business risks. Thankfully, there are tools.
Doeren Mayhew CPAs and Advisors offers a calculator that can help you come up with an estimate of how much a data breach will cost you based on the number of affected records, your industry, and other significant factors.
Similar calculators are found at eRiskHub, The Breach Level Index, and At-Bay.
* * *
Estimating the cost of a cybersecurity incident will help you fully appreciate the work that your IT guys are doing. It will force you to look at your network and other IT resources, as well as the records and information you are storing.
This exercise will help you fully understand the risks your business faces and how to mitigate these threats. At the very least, calculating this cost will help you justify IT-related investments.