VIEW 24
Costs of a cyber incident
What does a typical cyber breach cost? It depends on a large number of variables and much granular happenstance. Taking an average across 477 cyber incidents, the Ponemon Institute suggested a cost of $4m for a typical breach in 2018. But averages such as this, across many different industry sectors, incident types and corporate sizes can be misleading. A better approach is to build a company specific model from the bottom up.
A crude but workable model can be built using only three company specific inputs: headcount, revenues and customer base. These three factors vary widely for different industries. A subcontractor making clothes for a fashion retailer would have a large manual workforce but only one customer. Conversely, an online retailer would have few employees but a very large customer base.
Some parts of the cost of a cyber breach can be viewed as more or less fixed. That is not to say that a tiny company and a huge multinational will be paying the same bill regardless, but some aspects of cost across, say, the SME segment will be very similar. A forensic specialist hired to investigate a breach will have the same day rate whether the breach is large or small. However, other elements are very volume dependent and directly proportional to three key factors:
Revenues:
Lost sales due to business interruption form a substantial part of a cyber incident’s costs. These can be estimated by multiplying average daily revenue by number of days expected outage. Some cyber incidents can take business critical systems out for months.
Headcount:
Restitution costs are proportional on the size of the IT estate. It is not uncommon for a company to replace all its software and PCs post breach to ensure they are restarting with a clean system. The number of PCs in a company is proportional to the number of employees, adjusted for the blue to white collar ratio.
Customers:
In the USA and Europe, companies that suffer data breaches are likely to suffer fines from the regulator linked to the number of customer records breached. But even excluding these regulatory fines, there are other costs that scale up relative to the number of customers a company has. Customers need to be formally notified that their data has been exposed and the dark web monitored to see where this data is surfacing. Often an external call centre needs to be engaged to handle all the concerned calls from clients. These costs are all proportional to the size of the customer base.
Policies can cover costs
The last element to factor into the cost model is the insurance policy. Many policies cover some part of the breach costs described. See View #30 for a more detailed discussion of what a typical cyber policy might cover.
