We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Cyber Breach: Unpreparedness Costs up to 5X More

Posted by Julien Ducloy October 17, 2016

Has your organization analyzed the potential financial impacts of a major privacy/data breach? How much will a major breach cost? The answer depends on the effectiveness of your cyber security program and on your organization’s preparedness when responding to the inevitable.

When preparedness pays off… and improvisation does not

Our cyber risk quantification research has revealed that a data breach event in North America costs organizations with nascent or immature cybersecurity/incident response preparedness up to five times more than their peers with stronger practices.

The costs associated with a breach—particularly the cost of IT and legal investigation, crisis response services, business interruption, remediation, damages, defense, settlements, and fines and penalties—can vary greatly depending on:

  • How much time has lapsed before the breach is discovered. As time passes, more damage can be done internally via information systems or externally through the unauthorized use of the data.
  • The organization’s ability to manage the crisis. A lengthy response and resolution generally erodes the trust of the affected individuals and stakeholders and increases regulatory scrutiny and investigations, further impacting credibility and commercial reputation.
  • The availability of post-breach crisis response services provided by third-party vendors and business partners. Finding service providers in time of crisis may delay an organization’s response time and prevent it from negotiating a better price due to the urgency of the situation.
  • The length and complexity of legal defense. Lack of preparedness and inconsistencies in communications often strengthen the plaintiff’s position, and may even increase the settlement amount, fines and/or penalties.
  • The number of jurisdictions involved. The more jurisdictions involved, the greater the complexity, and consequently, the length of time required by your advisors to resolve issues.
  • Where the individuals affected by the data breach reside. Legal and regulatory costs are higher in the United States due to the litigious environment, multitude of regulators, higher fines, and the patchwork of state-driven notification requirements that result in a more complex and complicated response. On the contrary, the cost of notification, identity protection, and credit monitoring is generally two times higher in Canada, the result of a less mature marketplace.
  • Whether the organization is found to be negligent. Regulatory non-compliance, poor cyber security practices, inconsistencies between stated organizational policies/procedures vs those which are actually played out during an event…Judges and regulators are more likely to enforce punitive damage, sanctions, penalties, and fines in those situations.

Or, as succinctly put by one of Marsh’s collaborative cyber breach coaches, “cyber crisis management cannot be treated as a Do-It-Yourself project.”

By developing organization-wide effective data breach response and cyber security practices adapted to one’s operations and potential threats, organizations suffering a major data breach are prepared to act in a timely and well thought out matter. Together these elements help you dramatically lower the direct and indirect costs of a data breach event.

Julien Ducloy

A Risk Management specialist for 12+ years, Julien started his career in the risk department of a large Parisian airport. Following this experience he held risk consulting positions at various auditing and consulting firms. Julien joined Marsh Risk Consulting in 2008 and formed the Enterprise Risk Management Practice, with an additional focus on technological and cyber risk exposures.