Trying to measure the cost of a breach

CISOs know that data breaches cost money. One question is how much; another is whether the rest of the organization knows.

To answer the first question Deloitte recently issued a white paper with a calculation to show how many costs aren’t being considered by management. In one hypothetical case, as reported by David Wheldon, the damage could be up to US$1.6 billion over five years. That’s right. For a theoretical breach of 2.8 million records from a U.S. private health insurance company the damage could run into 10 figures.

Read the full report here

Not all of the numbers would be applicable to Canada in this particular example. For example, because most Canadians are covered under the government funded heath insurance, private insurers here are smaller — and, of course, we have a smaller population. While the dollar values would be smaller, the factors would be the same. So the Deloitte calculation includes an estimated $230 million loss to brand image to the insurer. There’s a lost value of customer relationships at $430 million over three years. These  would apply to a retailer or manufacturer.

However, there are a lot of other so-called beneath the surface costs the C-suite may not be thinking of today: operational costs, insurance premium increases, and, if necessary, the cost of raising debt to pay for these and other costs.

Then there’s the expected costs: Notifying potentially-affected customers and partners, paying for customer protection services, hiring forensic investigators, possibly hiring a crisis reaction team for public relations, facing customer/partner lawsuits, paying regulatory fines, loss of intellectual property (perhaps incalculable)  and — of course — cyber security improvements including awareness training.

This isn’t meant to scare management (well, maybe it should, so they pay more attention to cyber security). After all, some of the biggest names who have suffered some of the biggest breaches (Target, Home Depot, Sony) are still in business. But boards and senior management need to take these ramifications into account more when doing risk assessments.

As one expert quoted in the story says, often the most under-estimated significant impact across organizations is business disruption.

Among the report’s conclusions is that “effort should be taken to define the organization’s top risk areas and assets and model realistic attack scenarios. This enables an organization to establish a reasonable level of investment in various areas of a cyber risk program.”

(Editor’s note: This story has been corrected from the original version, which said the theoretical victim company was a hospital. Also, now there’s a link to the full report)

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now