The cost of a data breach has been rising steadily each year, with the average in 2021 coming in at £3.2m, an increase from £2.9m in 2020. Much of this comes from easily quantifiable costs such as system downtime, lost business, fines, and ransom payments. But the costs of a data breach can continue for many years after the event – here are four long-term factors affecting organisations after an attack.
1. Higher insurance premiums
Cyber security insurance premiums have been increasing across the board, with a supply squeeze taking place as insurance companies become more reluctant to provide coverage while demand has increased significantly. According to Howden, the number of US insurers reporting a lower capacity for cyber security insurance skyrocketed from 10% in Q1 2020 to over 70% in Q1 2021. In the same period, demand from customers for insurance rose from 60% to over 90%.
The increase in premiums will be significantly higher for organisations that experience a data breach. According to a report from Deloitte, increases of 200% for insurance premiums for the same level of coverage after companies suffered an attack were not uncommon. In some instances, insurers have refused coverage altogether until the organisation can demonstrate improvements have been made to their cyber security defences.
2. Loss of investor confidence
Organisations that have been victims of a cyberattack frequently suffer from a loss of investor confidence, with both individuals and institutions less likely to buy or hold stock in the aftermath of a breach. The effect on a company’s share price can be significant both in the short and long-term, with a study from Sustainability finding an average 18.5% loss over the following twelve months.
While the share price can be impacted by both immediate costs and the long-term ones mentioned in this article, larger enterprises can see their ratings from agencies downgraded. Most notably, after Equifax suffered a high-profile data breach in 2019, their outlook was changed from stable to negative by Moody’s as a direct result of the attack.
3. Impact on credit rating
Enterprises which have suffered an attack can find it more difficult and expensive to raise debt afterwards, as creditors reassess the business as higher-risk. This can make it difficult for the business to raise additional funds or renegotiate existing debts, which has an especially negative impact on start-ups, for example, or other pre-profit businesses.
A Deloitte report stated that companies typically have their corporate credit rating downgraded by one level after becoming the victims of an attack. Perhaps the most high-profile incident occurred to the major US retailer Target, which had its rating downgraded by Standard and Poor’s after a security breach.
4. Ongoing legal costs
Data breaches which cause the loss of personally identifiable customer data can incur significant legal costs for the organisation which suffers the attack. In addition, individuals may suffer cyberattacks for years after the event, making potential liabilities both expensive and difficult to quantify. This is particularly exacerbated if credentials are reused, with lists of usernames and passwords from data breaches frequently exchanged on the dark web for malicious actors to use.
How organisations can mitigate these risks
While the cost of a security breach can vary between industries and organisation size, the long-term impact makes the risk significant for any business. In addition to more tangible long-term costs above, the PR impact, a loss of confidence among industry partners and prospective employees, and the professional cost to high-ranking individuals at the organisation can all negatively impact the future outlook.
A breach can be caused by a number of factors, but by far the two most common are phishing and the use of stolen credentials, according to Verizon’s 2021 Data Breach Investigation Report. When adopting a risk-based approach to mitigating the risks of data breaches, addressing these vulnerabilities is a clear priority.
An Identity and Access Management (IAM) solution can mitigate the risk of both of these attack vectors by addressing the root cause of the problem – passwords. By taking the problem of passwords out of the hands of end users and putting the organisation back in control, both phishing and the use of stolen credentials become significantly more difficult for malicious actors to take advantage of. If passwords are undisclosed to users or replaced by secure tokens, they cannot be phished, stolen, or made available for sale on the dark web.
The adoption of an IAM solution also can help to lower insurance premiums and boost stakeholder confidence by demonstrating a proactive approach to mitigating the risks of a security breach. By eliminating the widespread security vulnerabilities associated with passwords, not only can the risk of a breach be significantly mitigated, so can the potential impact should one occur.
Find out how an Identity and Access Management solution can help protect your organisation from data breaches today.