The Endless Financial Ripple Effect of a Data Breach


The value of data stolen during a breach can be a massive blow to a company. However, as a recent study by Deloitte explains, the years-long fallout from that breach is even more devastating—underscoring how ineffective security can destroy a business.

The analysis, “Beneath the Surface of a Cyberattack,” points out that public perception of attack scope is often clouded by what companies must legally report—notably, the theft of personal information. But above and beyond regulatory fines, there is a domino effect of not-so-obvious costs related to “reputation damage, operational disruption, or loss of proprietary information or other strategic assets.”

Deloitte’s paper details 14 factors impacting attacks—some costs related to the incident itself, others far less visible.

Above the Surface:

  • Technical Investigation
  • Customer Breach Notification
  • Regulatory Compliance
  • Attorney Fees and Litigation
  • Post-Breach Customer Protection
  • Public Relations
  • Cybersecurity Improvements

Beneath the Surface:

  • Insurance Premium Increases
  • Increased Cost to Raise Debt
  • Impact of Operational disruption or destruction
  • Value of Lost Contract Revenue
  • Devaluation of Trade Name
  • Loss of Intellectual Property
  • Loss of Value of Customer Relationships

These beneath-the-surface, often unanticipated, costs turn out to be the most impactful.

Both inside and outside threats could’ve been detected in their infancies, especially with machine-learning enabled analytics

The paper presents case studies of two different companies attacked in very different ways. One is a U.S. health insurer with $60 billion in annual revenue, the other a U.S. technology manufacturer with $40 billion in annual revenue. Deloitte reports that the insurer lost a total of $1.6 billion over five years to recover from its incident involving PHI records downloaded using privileged credentials (and discovered five days too late), with merely 3.5% of that cost incurred above the surface. Meanwhile, the tech manufacturer’s IP was stolen by a foreign state which reverse-engineered its product. Here, the loss rose to $3.2+ billion over five years, with less than 1% of that reflected in above the surface hits.

The bad news: Cyberattacks are unavoidable (and, not to mention, on the rise). Still, they can be stopped short. While Deloitte’s report doesn’t elaborate on the security details that failed each company, it’s more than likely they weren’t using behavior analytics. Both inside and outside threats could’ve been detected in their infancies, especially with machine-learning enabled analytics bolstering their current security investments.

There are many takeaways from this report, but the underlying lessons are resounding. Security can’t be a mere risk-management line item anymore; it needs to become a fundamental part of business strategy. And that solution must be powerfully proactive.