Data Breach Costs and Attacks Continue to Increase in 2019

In its new 2019 Cost of a Data Breach Study for IBM, the Ponemon Institute^[1] continues to track the escalating year-over-year costs of data breaches. According to the study, the average total cost of a data breach increased from $3.86 million to $3.92 million, and the average cost for each lost record increased from $148 to $150. And while the rate of increase this year is less than prior years, the total costs of data breaches across industries continues to climb. And there’s evidence that a single breach can have continuing, year-over-year costs after the breach is discovered and remediated.

The study this year also suggests that “the loss of customer trust [related to a data breach] has serious financial consequences, and [at 36 percent of total average breach costs] lost business is the largest of the four major cost categories contributing to the total cost of a data breach.”

A data breach typically involves situations where confidential, sensitive or personally identifiable information (the elements of which may be defined by state law or federal regulation) is accessed or used without permission or proper authorization. Breaches can occur when laptops containing sensitive information are lost or stolen, when disgruntled employees or third parties access or download such information or when cybercriminals/cyberterrorists gain access for profit or political reasons.^[2] As such breaches increase in frequency, ingenuity and prevalence, companies are looking to studies such as Ponemon’s to justify the continued increases in cybersecurity spending.^[3]

Ponemon provides ample evidence for such justification. The study notes that the costs of a data breach for organizations that invested in an incident response team and testing of their response plans was over 25 percent less than organizations that fail to take such preemptive actions (an average savings of over $1.2 million dollars per breach).

Ponemon also presents new evidence of how data breach costs are incurred. Not only does a single data breach result in immediate costs, but such costs can extend over multiple years. In general, about two-thirds of breach costs are estimated to occur in year one, 22 percent in the second year after a breach and 11 percent in year three. Such extended losses are greater in highly regulated industries, such as health care and finance, where 53 percent of breach costs are recognized in the first year, 32 percent in the second year and 16 percent more than two years after a breach. The study also notes the relationship between customer turnover and costs related to a data breach.

But perhaps the two most disturbing trends noted by this year’s survey relate to the life cycle and nature of cybersecurity attacks.

Disturbing Trends

The study notes that the average time to identify a breach in 2019 was 209 days, and the average time to contain a breach was 73 days, for a total of 279 days – almost a 5 percent increase over the 2018 life cycle of 266 days. This life cycle to containment is critical with respect to costs, as breaches with life cycles of less than 200 days typically create costs one-third lower than breaches with life cycles over 200 days.

The study also noted that malicious cyberattacks are the most common and most expensive of the breaches studied (increasing over 20 percent between 2014 and 2019). Malicious cyberattacks also have a longer life cycle (averaging 314 days) and are more costly (by 27 percent over human error breaches and 37 percent over system bugs and glitches).

But while malicious cyberattacks are now the most common cause of a breach, human errors and system glitches still represent 49 percent of data breaches studied by Ponemon (including the common phishing attacks all companies seem to be victims of these days).

Increasing vendor usage also presents significant potential risks for cyberattacks. Ponemon found that out of 26 factors contributing to the cost of a data breach, “the five that contributed the most cost were third-party involvement, compliance failures, extensive cloud migration, system complexity and operational technology.” Such factors acted as “major cost amplifiers” of a data breach.

And if increasing costs were not disturbing enough, the study indicates that the percentage chance of experiencing a data breach within two years has now risen to almost 30 percent (a 31 percent increase over the last six years).

With the 2019 study, Ponemon continues to present a series of snapshots in time that illustrate the increasing risks, rising costs and expanding customer turnover rates related to data breaches. But these snapshots also suggest immediate mitigation strategies that may save time (and money) when the inevitable breach occurs; strategies range from simple encryption requirements to expanded internal compliance and training. The key is planning and reasoned organizational integration of the staffing, training and systems required as a result of the increasing threats to a company’s digital assets.

The final caution: “Smugness” over not having experienced a data breach is not appropriate.^[4] Given that on average, it takes over 200 days to even identify a data breach and the increasing probability of such a data breach, you may already have a multimillion-dollar data breach liability – you just don’t know about it yet.

^[1] https://www.ibm.com/security/data-breach

^[2] See generally Frey, Cyber-warfare, cyber-terrorism, and cyber-crime, Financier Worldwide, April 2013.

^[3] Bloomberg reports that the cost of top cybersecurity experts to serve as Chief Information/Data Security Officer have quadrupled (with annual compensation at public companies ramping from $600,00 to over $2.5M in 2019. Bloomberg Reports, telecast July 7, 2019.

^[4] See generally, https://en.wikipedia.org/wiki/Smug_Alert!