[BreachExchange] 11 Real Costs Of A Corporate Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 26 20:29:35 EDT 2016


http://www.twice.com/blog/executive-insight/11-real-costs-corporate-data-breach/62272

Security breaches cost a lot of money. In the U.S., the average data breach
costs $5.4 million. The average cost, globally, of a compromised record
rose 9 percent in 2014 to $145; costs in the U.S. rose to $201 per record.
The 2014 Target breach was estimated at a gross cost of $162 million, with
a net cost of $105 million after reduction for insurance payments and tax
deductions.

It was originally reported that the Anthem breach of 80 million patient
records would cost over $100 million just to notify the victims and provide
free identity-theft and credit monitoring. Altogether, the Anthem breach is
estimated to have cost $31 billion, more than the federal government has
spent to incentivize digital medical records since 2009.

For all the quantifiable costs, there is also a range of hard-to-measure
costs like brand reputation, consumer loyalty, board and stakeholder
relations, distraction from normal business activities, regulatory fines
and potential class action lawsuits.

When a data breach happens there are 11 cost areas to consider:

1. In-house investigations: The immediate response to a breach requires the
diversion of internal information technology resources to investigate the
breach, take immediate damage control actions, and secure short-term
security for all assets.

2. Forensic experts: An independent forensics team is usually engaged to
investigate and determine how the system was breached, who was responsible
internally or externally or both, what data was affected, and whether data
was stolen and/or deleted and/or altered.

3. Vulnerability controls: Once vulnerabilities have been identified, the
controls and safeguards that should have been in place to prevent the
breach must be implemented.

4. Hotline support and notification: In order to avoid overly diverting
resources from ongoing customer relations, companies typically outsource
hotline support, development of incident response media, and first-class
mail notifications to comply with federal regulations.

5. Free credit-monitoring subscriptions: This goodwill gesture may appease
some customers, but others may still join class-action lawsuits.

6. Discounts for future product and services: Additional goodwill gestures
to reinforce customer loyalty may include discounts on future products or
services, gift cards and value-added services.

7. Customer churn and diminished acquisition: It can be difficult to
quantify the number of customers lost to a data breach, but it is a logical
consequence of tarnished brand trust.

8. Leadership turnover: Data breaches have resulted in the exit of senior
executives as brands make public statements of accountability.

9. Regulatory fines: Fines and penalties vary by industry and by whether
oversight is through the Federal Communications Commission (FCC), Federal
Trade Commission (FTC), or Health and Human Services (HHS).

10. Class-action lawsuits: While most class-action lawsuits typically fail
due to the difficulty of proving injury — especially future injury —
companies can be forced to settle the suits at substantial costs.

11. Insurance premiums: Cyber liability insurance includes first-party and
third-party coverage. First-party coverage applies to the breached company
and the direct expenses it incurs — notifying clients, client credit
monitoring, public relations, loss of business income and extortion.
Third-party coverage applies to any lawsuits, penalties and settlements
that arise from the breach.

Despite the massive costs of a data breach, some economists wonder if
breaches cost enough to incentivize deeper investment in security. When
Target’s publicly available breach-related costs were reported to its
stockholders, they only amounted to 0.1 percent of its gross sales for 2014
and so no related loss of store revenue was reported.

Many firms have no internal consensus around appropriate security
investments; however, three camps of opinion are apparent:

1. The Minimally Compliant Camp: Companies with security standards focused
on minimal regulatory compliance cite overspending on security as
irresponsible business practice. As regulation often lags advances in
hackers’ strategies and security technology, this approach is primarily
reactive to security breaches.

2. The Reasonably Secure Camp: With consideration for regulatory compliance
and the current state of security threats, this moderate approach takes a
responsive posture as it seeks to balance best practices with costs.
Companies document critical discussion of their judgments about what is
reasonable, what is probable, and the value/liability of different types of
data. Their goal is to develop a comprehensive, intensely pragmatic,
security strategy.

3. The Building-In Security Camp: The forward-thinking security community
takes a predictive approach. It perceives compliance as a low-bar standard
and current security threats as indicative of trends to anticipate. Drawing
on the maturity model first used to improve quality assurance in the
automotive industry, the Building Security in Maturity Model (BSIMM)
community values defense-in-depth security initiatives built on the
practices of industry-leading companies.

The BSIMM community understands security as an emergent property of the
entire company system that is continuously monitored for progress on 112
activities. Seventy-eight companies are currently enrolled in the BSIMM. As
they continually monitor their progress on 12 key practices, they can
compare themselves not only to their own benchmarks but also to the
progress of all the companies in the community. Rather than base security
initiatives on hypothetical speculation about what they should be doing,
these companies focus on the success of practices in which companies are
actually engaged. Using a long-term, big picture, highly data-driven view,
the companies strive to build in the best security protocols at every stage
of software development and utilization. The BSIMM is a model for
collaboration among companies across a range of industries, including
financial services, telecommunications, technology firms, healthcare,
retail, energy, Cloud and security services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160726/a53710cb/attachment.html>


More information about the BreachExchange mailing list