RESEARCH & RESOURCES

Industry and Number of Records Can Lead to Costlier Breaches, New Study Finds

Healthcare, information, and financial industries are hardest hit, according to research.

Note: TDWI’s editors carefully choose press releases related to the data and analytics industry. We have edited and/or condensed this release to highlight key information but make no claims as to its accuracy.

When estimating the costs of a data breach, several factors can be independently quantified, including an organization's industry, the source and origin of the threat actor, and the number of records, according to findings in the study, "Estimating Financial Losses From a Data Breach," authored by RiskLens, a leading provider of cyber risk quantification and cyber risk management software and services. These factors can mean higher cyber-event risk costs.

RiskLens data scientists found that in simulated environments, as the number of records in data breaches increase by 10 percent, businesses can expect primary response costs to rise 5.3 percent. The research also found that data breaches caused by external actors are 2.4 times more expensive than those caused by internal actors. The healthcare, information, and financial industries are more likely to experience a higher degree of costs to their businesses than other industries.

According to Statista, in 2020, the average cost of a data breach was estimated to be $3.86M; other reports expect the global cost of cyber crime to reach $10.5T by 2025. The study findings are incorporated with proprietary data gathered from RiskLens client engagements and other sources to conduct a risk analysis using the FAIR standard.

For this study, the RiskLens team used a data set by insurance data provider Advisen to estimate losses in three categories and to model on independent variables: record count, country, threat access, threat type, data type, and industry.

  • Primary response costs (PRC): These are costs associated with managing the data breach by deploying an incident response team, computer security incident response team, or other related teams. They are costs that accrue after a data breach.
  • Fines and judgments (F&J): These costs are fines incurred from a regulatory body, judgments in civil cases, or fees paid based on contractual stipulations.
  • Secondary response costs (SRC): This includes a variety of costs related to activities and expenses incurred in dealing with secondary stakeholders, depending on the nature of the data breach.

As an example, as the number of records increases by 10 percent, RiskLens research found the PRC can be expected to increase by 5.3 percent. The healthcare, information, and finance industry are 1.5, 2, and 2.5 times more likely respectively to experience SRC compared to other industries. F&J costs attached to finance and information industries are 1.9 times higher versus other industries.

The study also found that malicious events incur 1.4 times higher F&J costs than events caused by errors. Data breaches caused by external actors are 2.4 times more expensive than those caused by internal actors.

U.S.-based organizations will see legal fines and judgments that are five times higher than non-U.S.-based businesses. However, foreign companies are twice as likely to realize F&J than their U.S. counterparts.

A summary of the study findings can be found here.

TDWI Membership

Get immediate access to training discounts, video library, research, and more.

Find the right level of Membership for you.