What is the true cost of a data breach? Research firm Deloitte says the toll of cyberattacks is significantly underestimated. The firm cites 14 factors that could have deep impact on your business and your bottom line.
In its report, “Beneath the surface of a cyberattack: A deeper look at business impacts,” Deloitte analysts identify 14 impact factors that result from a cyberattack, using two real-world examples. The first involves a healthcare organization that suffers a data breach when the company learns that a laptop containing 2.8 million of its personal health information (PHI) records had been stolen from the company’s health care analytics software vendor. The total cost of the breach, based on all 14 factors, was $1,679 million.
“Above the surface” are many tangible, direct costs. These factors, generally well-understood, include such things as costs to notify customers or provide personal credit protection. They are relatively straightforward to approximate using a combination of profile information for each company, publicly available data, and cost assumptions derived from industry and market research.
Following the breach discovery, the healthcare provider spent six months notifying customers of the event, steps being taken, and potential impacts. This process took six months, at a cost of $10 million (0.6 percent of the total).
Technical investigation revealed that cyberattackers had gained access to the patient care application using privileged credentials from the stolen laptop and had created a significant number of user IDs. Consequently, before service could be restored, new user accounts had to be issued for all application users, and new application and system controls were put in place. The post-breach protection efforts lasted three years, at a cost of $21 million (1.25 percent of the total).
Regulatory compliance factors came in the form of HIPAA fines. These amounted to $2 million over a two-year period (0.12 percent of the total). The company faced ongoing scrutiny for its handling of the incident; many months after the breach their cyber insurance premiums were raised and legal fees accumulated as the company faced identity theft lawsuits. The impact of legal fees continued for five years at a cost of $10 million (0.6 percent of the total). Before service could be restored, new user accounts had to be issued for all application users, and new application and system controls were put in place. The cost of cybersecurity improvements during the first year were $14 million (0.83 percent of the total).
The company shut down physician access to the patient care application and activated its cyber incident response team. The application was kept offline for two weeks while the incident was investigated. The full technical investigation lasted six weeks, at a cost of $1 million (0.06 percent of the total).
“Beneath the surface,” many of the impacts are intangible and more difficult to quantify, including costs associated with loss of intellectual property (IP) or contracts, credit rating impact, or damage to the value of a trade name. In situations where intangible assets are at risk, impact can be estimated using generally accepted standard financial measures, damage quantification methodologies, and valuation methods. Almost 89 percent of the impact was associated with just three “beneath the surface” impact factors: value of lost contract revenue; devaluation of trade name; and lost value of customer relationships.
The healthcare provider incurred significant increases in its insurance premiums. These amounted to $40 million over a three year period (2.38 percent of the total). n the short term, core business functions were disrupted by the shutdown of physician access to the patient care application. While the application was unavailable, physicians and providers relied on less effective and efficient means of receiving medical alerts, increasing risk to patients. Without full access to health insurance coverage information, physicians and providers could not be certain of the financial implications—to both their institution and their patients—associated with the choice of care they provided. Operational disruption cost the healthcare provider $30 million (1.79 percent of the total).
The decline in annual revenues due to lost members or customers caused the value of customer relationships to decline by $430 million over a three year period (25.61 percent of the total). In this scenario, contracts were not canceled; however, as the company looked to reduce the damage of the incident, it adjusted the premium increase they had historically charged their members. This resulted in an estimated loss of $830 million over five years (49.43 percent of the total).