SEC Chair Mary Jo White recently opined that cyber security is the biggest risk facing the United States financial system. Companies should take heed of that warning in light of the release of the 2016 Cost of Data Breach Study by IBM and the Ponemon Institute, which showed that average response costs for data breaches continue to rise.
According to that study, the total average cost of data breach incidents to companies located in the United States increased from $6.53 million to $7.01 million between 2014 and 2015. That represents an approximate 7% increase in the average cost of responding to a data breach. The study observed that, over its 11 year history, there has not been significant fluctuation in the response cost. While this might seem comforting, IBM and the Ponemon Institute note that this indicates another chilling likelihood: “it is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.” In addition, the biggest financial consequence to organizations that have experienced a breach is not the cost of responding to the data breach (which is onerous), but the loss of business.
This sobering analysis supports Chair White’s concerns about data security risks and underscores the severity of the problem. Given the staggering cost of data breaches, a firm should plan well in advance to mitigate its exposure to such costs. For example, the study also provided that while half of all data breaches resulted from a malicious attack, “23 percent of incidents were caused by negligent employees, and 27 percent involved system glitches that included both IT and business process failures.” That means half of the breaches might have been avoided with proper training and IT protocols. Given that data breaches aren’t going to go away, companies should consider factors noted in the study that decrease the cost of responding to data breaches, including “[i]ncident response plans and teams in place, extensive use of encryption, employee training, BCM involvement or extensive use of DLP.” Companies may also wish to consider cyber-insurance policies to help bear the costs associated with data breaches. But given the alarming costs detailed in the study, companies should keep in mind the old adage that an ounce of prevention is worth a pound of cure.