Size and cost of data breaches continues to rise

20 August 2018

Data breaches are getting larger and costlier, according to an annual study of data breaches from IBM and the Ponemon Institute.

The average global cost of a data breach increased to USD 3.86 million over the past 12 months, a rise of 6% since the 2016 study; while the average cost per lost or stolen record rose almost 5% to USD 148. In the past 12 months, the average size of a data breach also increased by 2.2% to 24,615.

The study also revealed that the more records lost, the higher the cost of the breach. For a mega data breach (over one million records) costs were an average of USD 40 million, while a breach of over 50 million records resulted in an average total cost of USD 350 million. Breaches in the health sector were the most costly at USD 408 per capita, followed by financial services at USD 206, both figures substantially higher than the overall average.

US COMES TOP

US data breaches continue to be the most expensive, at more than double the global total average. The average total cost of a data breach in the US was USD 7.91 million and the average per record costs were USD 233. Notification costs are also highest in the US at USD 740,000.

The next highest average total breach cost was recorded in the Middle East (USD 5.31 million), followed by Canada (USD 4.74 million), Germany (USD 4.67 million), France (USD 4.27 million) and the UK (USD 3.68 million). The consolidated average per capita cost was also highest in the US (USD 233), followed by Canada (USD 202) and Germany (USD 188). 

COUNTER MEASURES

The study also showed that the faster a data breach can be identified and contained, the lower the costs. The global average time taken to identify a data breach was 197 days, while the average time taken to contain a breach was 69 days. Companies that identified a breach within 100 days saved USD 1 million, while those that contained a breach in less than 30 days saved over USD 1 million.

The deployment of a breach response team and the use of encryption were the two most effective methods of reducing breach costs. The average cost savings of using an incident response team was USD 14 per record, while the use of encryption reduced costs by USD 13 per capita. The involvement of business continuity management and training each lowered the cost of a breach by USD 9.

Third party involvement in a data breach, cloud migration at the time of the breach, and compliance failures were the most significant causes of increased cost. Third party involvement added USD 13 to the cost of a breach, while cloud migration and compliance failures added almost USD 12 apiece.

RECURRING PROBLEM

Malicious cyber attacks were the most expensive attacks to resolve, and also the main cause of data breaches in the study (48% of breaches followed a cyber attack, compared with 27% for human error and 25% for glitches). The average cost per record to resolve a malicious or criminal attack was USD 157 (USD 258 in the US), compared with USD 131 following a system glitch and USD 128 for a breach caused by human error or negligence.

The likelihood of a recurring material breach over the next two years is 27.9%, more or less the same likelihood as the 2017 study. Organizations in South Africa have the highest probability of experiencing a data breach (at 43%), while Germany has the lowest probability of having a future data breach (at 14.3%).

For more information on cyber insurance, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.