Companies that focus on the immediate breach remediation costs may be missing the big picture, and could be under-investing in security as a result.
Several studies have come out recently trying to get a handle on the total costs of a data breach, with a large variation in costs - from less than $1 million on average, to $6 million - based on the data sets and types of included costs.
But the actual numbers could be several times higher.
Take the Yahoo breach, for example, which could lead to a $1 billion drop in the company's value.
Last month, Yahoo revealed that 500,000 million accounts were hacked in 2014, shortly after Verizon agreed to buy the company for $4.8 billion. Now, Verizon is reportedly asking for a $1 billion discount.
"This demonstrates firsthand the significant destruction of value that can result from a massive breach," said John Gunn, spokesman at VASCO Data Security.
In fact, the total value can be even higher, said Michael Lipinski, CISO and chief security strategist at Securonix.
"The lawsuits alone against Yahoo may be substantial," he said. "It’s possible that the Yahoo value falls even more than the $1 billion number reported on today. With the substantial financial risk overshadowing Yahoo and lack of another suitor stepping up with a competitive offer, I would anticipate Verizon getting even more aggressive with the negotiations.”
The lawsuits alone against Yahoo may be substantial.
Michael Lipinski, CISO and chief security strategist at Securonix
Companies typically underestimate the total costs of a breach dramatically, according to a recent report by Deloitte Advisory Cyber Risk Services.
In an in-depth analysis of two scenarios, researchers found that between 75 and 95 percent of the total costs of the breach were "hidden" costs that were not immediately apparent.
Of course, every situation is unique, said John Gelinne, managing director of Deloitte Advisory Cyber Risk Services at Deloitte & Touche.
"Companies operate in different threat environments," he said. "It's not a one-size-fits all."
According to Deloitte, typical "above the surface" breach-related expenses include such items as post-breach consumer protection, cybersecurity improvements, customer breach notification, legal costs and fines, public relations, and forensic investigations.
But those are just the immediate, obvious costs. The total impact includes such items as lost revenues and lost customer relationships, brand devaluation, increased cost to raise debt, higher insurance premiums, operational disruptions, and the loss of intellectual property.
In the two scenarios analyzed, the total cost of the breach went from $59 million to $1,679 million and from $26 million to $3,258 million when those other factors were considered for the five-year period immediately after the incident.
Sign up for CIO Asia eNewsletters.