By Clive Riddle, July 31, 2020

IBM Security has just released their 82-page 2020 Cost of a Data Breach Report, “a global study examining the financial impact of data breaches” finding that overall “these incidents cost companies studied $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause.”

Healthcare is unfortunately the leading industry in this arena. IBM tells us that “In the healthcare industry, the average cost of a data breach in 2020 was $7.13 million. Of the 17 industries surveyed, healthcare ranked first in average cost. The average time to identify and contain a breach in this industry was 329 days.”

The study was “based on in-depth interviews with more than 3,200 security professional in organizations that suffered a data breach over the past year….Based on in-depth analysis of data breaches experienced by over 500 organizations worldwide, 80% of these incidents resulted in the exposure of customers' personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses studied.”

The report states that “the average cost of a data breach has fluctuated between $3.50 million and $4.00 million in recent years.” For healthcare, it averaged $8.6 million in 2015 and reached $10.0 million in 2019, before reducing to $7.1 million this year.

Their overall conclusions include:

• ·         Companies studied who had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn't have these tools deployed – $2.45 million vs. $6.03 million on average.
• ·         In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, studied businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.  
• ·         Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost studied companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
• ·         The Most Damaging Breaches: Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.

The interactive version of the report provides an industry-specific calculator that shows the average cost of a data breach associated with various factors and the average amount organizations estimated these factors either increased or decreased the cost in the selected country or industry. This analysis looks at only one variable at a time and multiple cost factors cannot be combined.

We selected the healthcare industry, and ran the calculator for the following factors, yielding industry-specific results in order of dollar magnitude:

1. Incident Response Testing - $275,136
2. Business Continuity Plan- $273,585
3. AI Platform - $232,452
4. Employee Training - $245,920
5. Extensive Encryptions - $195,376
6. Formation of IR Team - $193,720
7. Security Analytics -  $186,820
8. Board Involvement - $181,526
9. Red Team Testing - $176,730
10. Cyber Insurance - $175,091
11. Vulnerability Testing - $174,708
12. DevSecOps - $174,671
13. Threat Intel Sharing - $160,294
14. Data Loss Prevention - $133,583
15. CISO Appointed - $111,532
16. ID Theft Protection - $48,693
17. Managed Security System- $41,946

We should note that this Wednesday, August 5, 2020, at 2 PM Eastern, Alaap B. Shah, Member of the Firm, Epstein Becker Green will update health plans on cybersecurity trends and risk management response preparedness and best practices, in the complimentary HealthcareWebSummit event: Health Plan Cybersecurity Trends and Risk Management Response Preparations.