The True Cost of a Security Breach

When a security incident occurs, it often results in a host of unexpected direct and indirect costs for the impacted organization. Those expenses may include the cost to hire a third-party digital forensics and incident response (DFIR) firm, the cost to remediate the incident, and the cost of new cybersecurity protections. But the true cost of a breach doesn’t stop there. Victims of successful attacks can also suffer lost revenue, unplanned audit expenses, and can be hit with regulatory fines, legal fees, higher insurance premiums, reputational damage, professional crisis management and PR fees.

Despite the many and varied costs associated with a security incident, generally accepted industry research on the cost of a data breach focuses on the number of records stolen or people affected, which appears to have the effect of underestimating the true cost of a data breach. For example, IBM’s Cost of a Data Breach Report from 2022 found the average cost of a data breach in the U.S. to be $9.44 million.1 Meanwhile, security practitioners have seen about a dozen cases over the past four years in which the reported costs of various incidents have run into the hundreds of millions of dollars.

Then there’s the impact on a company’s earnings and stock performance. According to a 2021 study by Comparitech, companies reporting breaches tend to underperform the stock market.2 The study also found that one year after the data breaches were reported, the companies’ share price fell 8.6% on average and also underperformed the NASDAQ by 8.6%. The average share price of a breached company underperformed NASDAQ by 11.9% after two years and 15.6% after three.

On the pages that follow, we share in-depth research on the true, long-term costs of data breaches. To bring you these numbers, we combed through dozens of SEC filings in search of cost data that companies reported to investors and regulators. We triangulated the SEC data with news reports in the media. And we analyzed the impact of these breaches on companies’ stock performance and quarterly earnings.

Net income for five of the organizations we studied sank an average of 73% within nine to 12 months of each organization announcing a breach. In addition, in nearly all cases, quarterly earnings declined and stock prices dropped significantly after data breaches. While economic and other business factors may have also contributed to sagging financial performance in some cases, there’s no question these breaches impacted performance given the high costs companies reported.

We hope our research gives you a clearer and more accurate picture of the lingering, end-to-end financial impact of a data breach. It’s our goal, in this time of economic uncertainty and belt-tightening, to arm you with data that you can use to make a bulletproof business case for investment