In May, tucked away in its quarterly filing to the Securities and Exchange Commission, retail giant Target updated its running total of the cost of its 2013 holiday season breach.
The damages so far: $291 million. Those losses eventually may reach $370 million, according to the company’s estimates.
While the retail giant may have outdone its peers with the bill for its breach, it is hardly alone. U.K. mobile service provider TalkTalk attributed more than $80 million in losses to a breach that garnered information on 157,000 customers. Following its breach in 2014, Home Depot tallied at least $161 million in costs from the loss of 40 million payment-card accounts and more than 50 million e-mail addresses, the company claimed in March.
Yet, other companies have no idea how much damage their breaches have done. In February 2015, for example, hackers stole more than 80 million records from health insurer Anthem. More than a year later, the company cannot put a number to its damages.
“While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses,” the company stated in its latest quarterly SEC filing, listing a variety of unknowns: its ongoing investigation, the early stage at which legal proceedings progress, unknown damages and uncertainty in the number of lawsuits that will be filed.
Anthem’s uncertainty may not be an outlier. Determining the cost of a breach still is an unsettled science. Most often, analysts look at a limited set of costs, such as investigating the breach, notifying customers, offering protection services, complying with regulations, public relations, attorneys’ fees and cyber-security improvements.
Yet, in a report on the hidden costs of cyber-crime, business services firm Deloitte & Touche argued that the damages caused by incidents go beyond the commonly cited figures. Costs that typically are not counted include increases to insurance premiums, costs of operational disruptions, lost customers, lost contract revenue, increased cost to raise debt, loss of intellectual property and the loss of brand value.
“The big ‘ah-ha’ is not that these factors are rocket science, but in many cases, these are the types of things that CFOs (chief financial officers) look at every day and, for whatever reason, we have not been including these factors,” Emily Mossburg, a resilient practice leader for Deloitte Advisory Cyber Risk Services, told eWEEK. “There is such a technical lens put on cyber-risk and cyber-attacks that the business impact was not really part of the conversation.”
With these factors included, the costs of cyber-crime could be much higher.
In one scenario included it its report involving a healthcare firm, Deloitte estimated that the hidden factors could account for more than 95 percent of the actual cost of a breach.
Researchers Struggle to Determine True Cost of Data Breaches
The scenario—a hypothetical breach of 3.8 million patient records and the use of those records to access healthcare claims—could cost nearly $60 million in direct damages, Deloitte estimated. But the softer losses—especially lost contract revenue, lost customers and brand damage—could total more than $1.6 billion.
“While some of this increase is due to our growing awareness of the actual impact of breaches, in some ways, that impact—the damage—has always been there,” Mossburg said.
While the massive costs seem hyperbolic, they are in line with another study produced by Juniper Research that claims cyber-crime costs will surpass a massive $2 trillion in annual damages by 2019. The analyst firm claims that the average cost of a data breach will be more than $150 million by 2020.
A more modest estimate, from the Ponemon Institute’s “2016 Cost of Cybercrime” report, found that the average company could expect a $4 million loss per breach incident today. U.S. companies have consistently higher losses, including an average breach cost of $7 million and an average per-capita breach cost of $221. U.S. companies and organizations also encountered higher costs from the loss of customers, the report stated.
Larry Ponemon, chairman of the Ponemon Institute, argued that companies often have focused on the costs that are put onto the balance sheet, but increasingly they are realizing that a large number of soft costs should be included in the damages from a breach.
“It is kind of interesting that, as more and more companies are getting better at detecting attacks and preventing attacks, they are getting better are recognizing the costs of not doing it right,” he said.
Having a well-trained incident response team and extensively using encryption were the two strategies that most decreased the cost of data breaches, while the involvement of a third party in the data breach and a company’s use of an extensive cloud infrastructure were the two factors that most increased costs, according to the “2016 Cost of Cybercrime” report.
The disagreement between approaches is par for the course in data-breach calculations. In a paper comparing six data-breach cost calculators, two Colorado State University researchers found that each approach made different assumptions and arrived at different per-record costs for data breaches. (Three of the calculators were created in conjunction with the Ponemon Institute and three different sponsors.)
“There is a good amount of expertise behind them, but anyone who wants to use them should go ahead and plug in some numbers for well-known breaches and see what numbers they get,” Yashwant K. Malaiya, a professor of computer science at Colorado State and co-author of the paper on the research, told eWEEK.
Yet, researchers and analysts are getting closer to giving companies a good forecast of what a data breach might cost. Malaiya, for example, plans to consolidate the various methods of calculation and come up with a more accurate method to determine breach costs.