The numbers are staggering. In 2016 alone, over four billion records have been breached in 4,149 separate cyber security hacks. But companies often leave the door wide open to hackers. The cost and effort to protect data properly is high – no question. But if you look at what a breach could potentially cost your company, you might find that prevention is more affordable than dealing with the aftermath of an actual breach.
What would a breach as large as Equifax cost the organization involved?
The Forrester report ‘Calculate the Business Impact and Cost of a Breach‘ summarizes what a breach could cost your organization. To make that more tangible, we used the categories highlighted in the report to estimate what a breach as big as the Equifax breach could potentially cost.
The exercise is intended to provide security teams fuel for prioritizing and rightsizing security investments and actions.
Customer facing breach notification and response
At an average of $5-10 per record, customer notifications to 143 million people would cost about $1.4 billion if the affected organization individually notified and kept track of each affected consumer. In Equifax’s case, they kept costs down by putting the onus on the consumer to find out if their personal data was compromised and initiate further action.
The cost of communication to affected consumers in a breach such as Equifax will be at the lower end of the spectrum. We estimate $4.6 per record – bringing the total to about $300 million.
Incident response and investigation
A company as large as Equifax will likely spend at the higher end of the spectrum on incident response and investigation. We conservatively estimate a spend of $10 million.
Public relations crisis management
At $500/hr, an average PR team of five will cost $5 million for the year.
A big enough breach causes legal action from government and consumers. Retaining legal teams at about $850/hr (plus other costs) for two years easily amounts to $20 million.
Regulatory fines and legal settlements
In June 2017, Anthem agreed to a settlement of $115 million after a breach that compromised data of 80 million consumers. Based on that data, a settlement of $200 million for $143 million people seems plausible. Regulatory fines have traditionally been low, but it remains to be seen if the extent and harm of a larger breach increases the size of these fines.
Cost of remediation
An average of $20 million over the next two years to discover and remediate all vulnerable code, and ongoing increased security efforts to prevent another incident. This includes hiring an incident response team, training and getting the right tools in place to prevent further breach incidents.
Cost of lost revenue
Equifax bent to pressure and provided free credit monitoring and credit freezes to consumers. At $10 per transaction, If 20 percent of the affected consumers utilized the benefit, it will cost Equifax $300 million in lost revenue.
Other liabilities and intangibles suggest the total cost of a breach as large as Equifax is about $1 billion. As of this week, Equifax lost $6 billion in market capitalization. The difference quantifies the loss of consumer trust, expected customer and employee churn and expectation from Wall Street that this breach will have a long tail at the organization involved.
These numbers should be a wakeup call for businesses to justify Data Security Investments. And have a crisis management plan in place if a breach does take place.
Download your free copy of the Forrester report today. It will help build the business case for investments in data security and security operations necessary to defend sensitive data. Don’t wait for a breach to happen to you.