Unprotected companies are considered wrongdoers, not victims
$7.35 million. That’s the average hit a U.S. company suffers after a data breach, according to the latest research by the Ponemon Institute.
Such a staggering impact comes as a shock to most organizations, who have no idea that cyber-attacks can wreak such havoc on their bottom lines. And unfortunately, the question now doesn’t seem to be if a company will experience a data breach, but when. Consider this for a moment: the odds of being in a plane crash, something many people worry about when they fly, are 1 in 11 million. The odds of a company facing a cyber-attack? About 1 in 4, according to Ponemon’s 2017 Cost of Data Breach Study.
To make matters worse, recent history predicts that companies that shell out $7 million after a data breach may be getting off easy. Equifax stock plummeted more than 20 percent – a $4 billion loss in value – within days of its September announcement that hackers had compromised the personal information of 143 million people. Analysts estimate that Equifax’s direct price tag for dealing with the crisis could exceed $200 million – and that’s after insurance kicks in.
Breaking down the costs
The Ponemon report says companies in heavily-regulated sectors like health care and financial services are hit the hardest by data breaches, showing average costs per lost or stolen record of $380 and $245 respectively, compared to the global average of $141 across all business sectors. Most of that expense – an average total of $1.51 million – is a direct result of business lost by the breach through churn, or turnover of customers. Churn increases the costs of acquiring new customers while costing diminished goodwill and business from angry consumers and fleeing investors, Ponemon reports.
That loss of market confidence could be devastating to businesses for years after the attack: 76 percent of Americans said they would abandon brands with a high record of data breaches, according to a 2016 survey by independent market research specialist Vanson Bourne. And for a smaller business, it may only take one breach to lose a critical mass of customers.
Efforts to stop the breach and repair damaged reputations can be just as pricey. Another million-dollar loss tied to cybercrime stems from a company’s detection and escalation efforts: forensics, finding the root cause of the breach, identifying victims, and organizing a response. Related services cost companies nearly another million, including help desk operations, inbound communications, public relations, product discounts, and ongoing credit monitoring for victims. Even the smallest cost of a breach – about $199,000 for notifying victims and regulators – isn’t truly small.
Understanding the law
For years, lawmakers have sought to convince companies to take the necessary cybersecurity steps to protect themselves and their customers, but most of the federal laws have been a confusing patchwork of vague and outdated privacy and computer crime regulations. The 1996 HIPAA laws, for example, require health care organizations to maintain “reasonable” levels of cybersecurity – an open-to-interpretation mandate that makes it entirely possible for businesses to comply without truly protecting themselves or their data.
But change is on the horizon. Currently all eyes are on 23 NYCRR 500, New York’s rigorous, “first-in-the-nation” cybersecurity mandate that went into effect March 1. Industry experts expect other states to follow suit, and predict that it will set the standard for a uniform national cybersecurity law that provides certainty and clarity to businesses while adequately protecting the integrity and confidentiality of information and systems.
The law, which impacts companies in New York’s financial sector, places the burden squarely on the shoulders of each organization to regularly assess its risks and implement extensive cybersecurity systems to meet the robust requirements. It also demands that companies enforce similar processes at their third-party service providers, and mandates that they report any cybersecurity events within 72 hours of discovery.
The cost of non-compliance
New York’s mandates are bold, but they are not impossible to achieve. Many of these requirements were already considered to be the gold standard for protecting sensitive data, and they are not too expensive or difficult to put in place. Following these guidelines could benefit companies nationwide as federal regulators increasingly treat hacked businesses less like victims and more like wrongdoers.
Penalties are especially harsh if regulators believe that a hacked organization ignored red flags or failed to take appropriate precautions to safeguard personal data, and usually include a combination of fines and mandates to improve cybersecurity programs. In 2015, the Federal Trade Commission enforced a $100 million penalty – its largest ever – on data protection service LifeLock for failing to secure its customers’ personal information. Morgan Stanley agreed to pay a $1 million fine in 2016 to settle civil charges brought by the Securities and Exchange Commission that security lapses at the bank enabled a rogue employee to steal data related to hundreds of thousands of customer accounts.
Stiff penalties also loom across the pond. The European Union’s General Data Privacy Directive goes into effect in May 2018, threatening fines that could easily surpass $21 million for American companies who solicit customers in Europe and do not meet its strict data protection requirements.
The rewards of readiness
Of course, avoiding pricey fines is not the only reason for a company to meet the highest cybersecurity standards. If a data breach occurs, civil lawsuits seeking reparations are usually not far behind, especially if it’s asserted that companies failed to take necessary precautions to secure sensitive information. Although the results have been mixed in these cases, some companies have had to pay nearly $20 million to settle lawsuits, plus millions more in legal fees and plaintiff costs. Companies whose cybersecurity systems meet the industry’s “best practice” should have an easier time fighting charges of negligence in these cases by showing their due diligence in protecting customers from cyber-attacks.
The Ponemon report states that these proactive processes also play a vital role in cutting damaging costs if a data breach occurs. Time is critical during a cyber-attack because every record that leaks costs companies more money. Companies with more than 10,000 records breached during a cybercrime suffered an average cost of $1.9 million. That number approached $7 million when more than 50,000 records were compromised, according to the Ponemon report. But when companies have processes in place like incident response teams, encryption software, and machine learning that quickly spots unusual activity, they are able to contain breaches and shut them down faster, reducing costs by as much as $19 per record.
Forbes has reported that cybercrime is estimated to cost $6 trillion per year through 2021, an almost inconceivable number that prompted business magnate Warren Buffett to call it “the number one problem with mankind.” It’s no surprise that more and more companies are upping their cybersecurity budgets in hopes of preventing the potentially catastrophic effects of a significant breach. By demonstrating their commitment to go above and beyond to keep sensitive information safe, companies who install robust cybersecurity systems will more than make up for the initial costs.
At Cyberguard 360, our clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education and training, and disaster recovery. If you’d like us to put our expertise to work for you, give us a call at 844-315-9882 or submit any questions via our contact form.