Data Breach Costs Study: Response, Containment Increase

The total average cost of responding, containing and reporting a data breach increased significantly, rising 15 percent to $3.5 million in 2013, according to an annual report that has been tracking expenses for nearly a decade.

The Ponemon Institute's Cost of Data Breach Study analyzed data breaches in 314 companies in 16 industry sectors and tracked cost estimates provided during interviews with nearly 1,700 executives about the costs incurred during each firm's response and cleanup efforts. The report, sponsored this year by IBM, found breaches involving lost or stolen devices or a serious lapse by a third-party business partner were often related to the costliest data breaches.

"The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers," said Larry Ponemon, founder and chairman of the Ponemon Institute, in his analysis of the report. "Our report also shows that certain industries, such as pharmaceutical companies, financial services and health care, experience a high customer turnover."

[Related: Verizon 2014 Data Breach Report: The Bad Guys Are Winning ]

Sponsored post

Costs associated with a breach vary by country, depending on threats in the region and local data protection regulations and laws, Ponemon said. The average consolidated data breach cost increased from $136 to $145 per record. German and U.S. organizations, on average, experienced much higher costs at $195 and $201, respectively, Ponemon said. The analysis mirrors the firm's 2013 breach costs analysis.

A strong security posture can significantly reduce data breach costs, according to the Ponemon analysis. Organizations that were able to contain costs often had a strong security posture, appointed a chief information security officer, and created and proactively tested its incident response plan, according to the report. By contrast, firms that had no senior leadership responsible solely for security suffered the most expenses. Those companies often were quick to notify about a breach, often reporting to authorities before the full extent of the security lapse was fully understood and contained, the report found.

For the first time, the Ponemon Report also found cyberinsurance playing an important role in not only containing breach costs, but also forcing businesses to establish a stronger security posture, Ponemon said. The report found that 32 percent of organizations it studied had an insurance policy to manage the risk of cyberattacks and threats. Many of the organizations had mature security programs, according to the report, and more than half (54 percent) indicated they were satisfied with the coverage.

"While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite," Ponemon said in the report. "Those companies with good security practices are more likely to purchase insurance."

NEXT: Calculating Risks Key In Containing Costs, Say Solution Providers

The data is not surprising to solution providers who say the maturity of insurer cyberinsurance programs that can set premiums are increasingly based on an organization's risk posture and data security measures.

The Ponemon report gets to the heart of the matter by focusing on losses, whereas most studies are focused on defense, said Ben Goodman, CEO of Enterprise Risk Associates, a New York-based firm that specializes in cyberinsurance. Insurance carriers are starting to have an impact on the security industry by asking questions about the ability of an organization to protect its critical data, Goodman said.

An analysis of 145 data breach claims in 2013 conducted by NetDiligence, a Philadelphia-based cyber-risk assessment services company, found that insurance companies paid out $84 million in data-breach and security-incident-related costs. Just as credit card companies can calculate and accept a certain amount of loss, businesses are learning they can no longer fully reduce the risk of a breach, and it is a practical measure to insure against the costs associated with a serious security incident, Goodman said.

"Risk management becomes, at some level, a cost-containment exercise," Goodman said. "The business transfers its risk to secure its balance sheet and maintain liquidity and organizational resilience."

The Ponemon report said the ideal amount to invest over the next 12 months to execute their organization's security strategy averages $14 million. However, in the next 12-month period, companies anticipate having an average of about half that amount, or $7 million, to support the security program. Malware and sustained probes by criminals were the biggest threat to an organization's security. Meanwhile, denial-of-service attacks were seen as the least threatening, the report found.

The lack of adequate budgeting may be forcing firms to accept more risk, said solution providers. An organization that is failing to invest in proactive system monitoring and incident response often isn't aware of the location of its most critical data assets and what would happen if they were lost or stolen, said Justin Flynn, a consultant and network security specialist with Chicago-based solution provider Burwood Group.

"You assess the value of what you are monitoring and if that value is significant enough, you build redundancies into your monitoring solutions," Flynn said.

The Ponemon analysis tracks direct and indirect costs associated with a data breach, including activities associated with the immediate response and the aftermath of a data breach. The firm calculates the average costs associated with a forensics investigation to determine the scope of an incident and organize an incident response team, procuring auditing and other consulting services and obtaining legal defense.

The typical notification costs include the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, and other efforts to make sure victims are alerted to the fact that their personal information has been compromised, according to the report. Those costs were most expensive for organizations based in the U.S. and Germany, and the least costly to firms in Brazil and India.