How a serious data breach may drive a company out of business

The most serious financial consequence to companies that suffer a data breach is lost business: both direct costs – i.e. engaging forensic experts, hiring a law firm, offering victims’ identity protection services -, and indirect costs – such as the time, effort and organizational resources spent during the data breach resolution, loss of goodwill and customer churn. The total cost of a data breach has risen by almost a third since 2013, meaning that a serious breach may eventually ruin a business.

The cost of lost business was particularly high for US organizations, at $3.97 million on average, according to this year’s Cost of Data Breach Study by Ponemon Institute. This cost includes the abnormal turnover of customers, increased customer acquisition activities, reputation loss and diminished goodwill. In addition to the direct costs of a breach, most companies experience opportunity costs associated with the breach incident, which results from diminished trust or confidence by present and future customers. Accordingly, the research shows negative publicity associated with a breach has effects on reputation that may prompt abnormal turnover or churn rates as well as a diminished rate for new customer acquisitions.

Companies that experienced less than a 1 percent loss of existing customers had an average data breach cost of $2.7 million. If the loss of existing customers exceeded 4 percent, the cost averaged $5.5 million.

Financial, health and service organizations experienced relatively high abnormal churn and public sector and education organizations experienced relatively low abnormal churn. Similarly, heavily regulated industries such as healthcare, education and financial organizations had a per capita data breach cost substantially above the average.

France continued to experience the highest rate of churn, followed by Japan, Italy, the US and the UK.

Following a data breach, organizations need to take steps to retain customers’ trust to reduce the long-term financial impact, authors of the study say.

The average total cost of a data breach for the 383 companies participating in this research increased from $3.79 million to $4 million. Forty-eight percent of incidents involved a malicious or criminal attack, 25 percent were caused by negligent employees or contractors (human factor) and 27 percent involved system glitches that include both IT and business process failures.

The Arabian Region had the highest direct costs (57%) and the US had the highest indirect costs (66%). Direct costs refer to the direct expense outlay to accomplish a given activity such as engaging forensic experts, hiring a law firm or offering victims’ identity protection services. Indirect costs include the time, effort and other organizational resources spent during the data breach resolution. It includes the use of existing employees to help in the data breach notification efforts or in investigating the incident. Indirect costs also include the loss of goodwill and customer churn.

According to a RAND Corporation study, the cost of managing cyber-security is expected to increase 38% over the next 10 years, reaching almost $100 billion, as companies spend more on cybersecurity tools. Worldwide spending on cybersecurity has passed the $70-billion-a-year threshold and is growing 10% to 15% annually. Many chief information security officers believe hackers may gain the upper hand two to five years from now, requiring stronger and more innovative defenses. CIOs are not entirely certain of all the methods malicious hackers use to infiltrate systems, and businesses do not want to disclose their safety measures. Security spending will continue to grow in 2016, with 44% of enterprise security managers expecting to increase their budget in the next 90 days and only 4% cutting back, as HOTforSecurity has previously noted.

“There is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives and entrepreneurs to pay greater attention to the security practices of their organizations,” according to specialists from Ponemon Institute, cited by Business Insights. Cyberattacks also affect business decisions, mergers/acquisitions and competitive positions, as EY shows in the figure below.