How expensive is a data breach for a big company? A recent report by Audit Analytics provides insight to this question in a study that sampled 639 cybersecurity breach incidents at public companies in the last nine years. The report, “Trends in Cybersecurity Breach Disclosures,” found the cost of a data breach directly relates to the life cycle of an incident and on the sensitivity of the compromised customer information. According to the study, the longer the life cycle, and the more sensitive the data, the higher the bill. Today, the cost companies face per incident has reached an average of $116 million.  

Two Main Components of Data Breach Costs:

Value of Compromised Data

Companies that leak highly sensitive data get hit with the greatest costs. The most valuable pieces of information a company can lose include customer payment data and Social Security numbers (SSNs). As valuable and costly as these are to companies, however, they continue to be stolen at ever increasing rates. From 2016 to 2019, data breaches involving the loss of SSNs have risen by more than 500%. Large companies increase this percentage substantially because they tend to lose millions of records during any given data breach.

Take for instance the Equifax breach in 2017 that involved the leak of 143 million U.S.-based individuals’ full names, birthdates, addresses, financial information and other personally identifiable information. The breach cost the company a tremendous $1.7 billion in remediation.

Another example is the 2015 hack on the health insurance provider Anthem Inc. that compromised more than 37.5 million records, including SSNs. The data breach cost the company $115 million.

Data Breach Life Cycle

Another determinant of data breach cost is the life cycle of the incident. According to the report, the longer the length of time to resolve the issue, the more expensive the remediation costs. The report found that it took a company an average of 108 days to discover that a data breach had taken place and an additional 49 days before the breach was disclosed. Some companies, however, far exceeded this average and paid greatly for it.

Most notably is the case with Yahoo! that delayed disclosing a breach by Russian hackers for three years. More than 3 billion user accounts were affected. The company was fined $35 million by the Securities and Exchange Commission for the lag time alone. Aside from costs associated with compliance, regulation and remediation, companies also face a drop in their stock values. A recent report by technology research firm Comparitech, found that share prices fall by an average of 7.3% after a data breach.