Analysing the cost and expenses of Cyber Breaches

When a cybersecurity event materializes, in that case, the victim suffers loss and/or cost depending upon the cause of data breach and the cyber defences at the place. These losses/costs are of various types and affect business through different channels. Most of the times, it is difficult to narrow down the exact loss/cost that the company will suffer in case a specific type of breach happens.

Cost Statistics:

The annual study conducted by Ponemon Institute in 15 countries namely: United States (US), United Kingdom (UK), Germany (DE), Canada (CA), France (FR), Italy (IT), Japan (JP), Australia (AU), the Middle East (ME), Brazil (BZ), India (IN), South Africa (SA), ASEAN (AS), and Turkey (TY) and South Korea (SK). The sample consists of 477 companies belonging to different types of industries.

Global average per capita cost for the entire sample was $148 in 2018, compared to the last year average per capita cost of $141. Whereas, the highest was in 2016, followed by 2015. Countries having highest per capita cost are United States, Canada, and Germany having with corresponding values as $233, $202, and $183. Whereas, Turkey, India, and Brazil have much lower per capita costs at $105, $68 and $67, respectively.

Industry-wise per capita cost states that health industry had the highest per capita cost of $408 million. Whereas, the Financial sector has half of the cost as that of the health sector. Public, research and retail sector has the lowest per capita cost of $75, $92 and $116, respectively.

Types of Losses:

There are two broad categories of losses that can arise in case a cyber event materializes: First party and the third party losses. First party loss refers to the direct losses which are incurred in case of a breach happens. Whereas, the third-party loss is the loss incurred when the breach happens at the third party’s premise. As presented in the Bloomberg report[2], the list of losses is presented below:
The list of First-Party losses is provided below:

  1. The organization will have to incur the cost of forensic analysis to determine the extent of the damage by performing root cause analysis
  2. Crisis response costs
  3. Public relations efforts, including possibly engaging consultants
  4. Fees for legal advice and counselling
  5. Business loss, including lost income, impact on reputation or lost digital assets like intellectual property, customer lists, or other data
  6. These losses can originate from a direct breach or a breach of a business partner, vendor, supplier, or company upon which your company is dependent
  7. Losses resulting from social engineering schemes, such as fraudulent payments to imposters or other cybercriminals
  8. Ransom payments, including to cybercriminals
  9. Physical loss, such as damage to hardware
  10. Repair, including restoring or replacing data
  11. Improving cybersecurity

Third party expenses incurred by the company in case a breach happens is of various types and depends upon the type of data that is being leaked. The list is provided below:
I. Incidents Involving Compromised Personally Identifiable Information:

  1. For incidents that compromise personally identifiable information (PII) of third parties, such as customers, clients, or patients, the costs of:
  2. Contacting and notifying affected third parties
  3. Providing credit and identity monitoring
  4. Providing call centres for customer service and updates
  5. Providing identity restoration services
  6. Providing identity theft insurance
  7. Replacing credit cards or other products
  8. Forensic IT or accounting services
  9. Public relations
  10. Breach coach counsel
  11. Other crisis response actions

II. Incidents Involving Lawsuits and Similar Claims:

  1. Expenses and legal fees incurred to defend individual lawsuits and class actions
  2. Amounts the insured becomes legally obligated to pay due to settlement or judgment
  3. These claims or lawsuits may be brought against:
  4. The company by customers whose personal information was compromised
  5. The company for failure to adequately hire, train, or supervise employees
  6. The company by banks or other financial institutions that may have covered fraudulent charges to customer accounts or that may have replaced compromised credit cards
  7. Directors and officers alleging that they failed to adequately oversee cybersecurity or procure adequate cyber insurance

III. Incidents Involving Government Inquiries, Investigations, Subpoenas, Demands and Similar Claims:

  1. Expenses, including fines and penalties, and legal fees associated with government inquiries and investigations, potentially initiated by:
  2. Federal Trade Commission
  3. Federal Communications Commission
  4. Consumer Financial Protection Bureau
  5. Securities and Exchange Commission
  6. U.S. Department of Justice
  7. Other Federal or State Agencies

IV. Other Third-Party Liabilities and Expenses:

  1. Contractual payments or other losses and liabilities for which a policyholder may be liable absent any contractual requirement, including payments related to enforcement of PCI Data Security Standards (PCI DSS) in merchant services agreements
  2. Remedying the transmission of viruses or other malicious electronic material to third parties


While going for cyber insurance, the above-mentioned losses are required to be taken into consideration. These losses and expenses are very difficult to estimate and only a broad quantification is possible. No standardization exists in cyber insurance domain in this respect.