In 2017, credit rating agency Equifax suffered a massive data breach, ultimately costing the company over $1.4 billion in legal settlements, regulatory fines, and cybersecurity expenses. That same year, shipping giant Maersk fell victim to the NotPetya ransomware attack, which inflicted an estimated $10 billion in global damages. Maersk alone incurred more than $300 million in system restoration, business interruption, and lost revenue.
Even setting aside those high-water marks, IBM’s latest Cost of a Data Breach report discovered that from March 2023 to February 2024, the average global cost of a data breach reached an all-time high of $4.88 million, a 10% jump over the previous period.
Given the potentially devastating and rapidly rising financial toll of cyber incidents, CISOs face mounting pressure to effectively communicate cyber incident financial costs to C-suite executives and corporate boards, often navigating a fine line between realistic projections and worst-case scenarios. Miscalculations that underestimate incident costs can lead to negative internal repercussions and even job loss for some CISOs.
Many CISOs struggle to articulate the financial impact of cyber incidents. “The role of a CISO is really interesting and uniquely challenging because they have to have one foot in the technical world and one foot in the executive world,” Amanda Draeger, principal cybersecurity consultant at Liberty Mutual Insurance, tells CSO. “And that is a difficult challenge. Finding people who can balance that is like finding a unicorn.”
Experts agree that the most effective way for CISOs to communicate the potential costs of a breach to decision-makers is by developing as accurate an estimate as possible, often referencing comparable incidents. They say the best approach to developing these estimates is by establishing and practicing an incident response plan and conducting tabletop exercises.
Finally, they recommend that CISOs proactively engage leadership in discussions about potential costs before an incident occurs, ensuring the organization is ready for the financial realities of a cyberattack.
Tallying the costs of a cyber incident
The two big buckets of incident costs are direct and indirect costs.
“The direct incident costs are the things that the organization does to immediately get out of that incident,” Draeger said during a talk at this year’s Shmoocon. “Think about your stop-the-bleeding activities, immediately patch the server, take it offline, rebuild, those sorts of things. You might hire some professionals, an incident response firm to come in and help your organization with that incident.”
“There might be a ransom payment and the fees that go along with that and cryptocurrency conversion fees,” she said. “Working with a professional negotiator — I highly recommend not doing this on your own — they can save you a lot of money. Also, consider network asset loss because sometimes the damage is so much you can’t recover.”
CISOs should further consider some compliance costs that accompany some incidents. For example, “if sensitive personal data was leaked, there might be notification of regulatory bodies,” Draeger said. “There might be notification to individuals that have been affected.”
Indirect costs, while hard to gauge in the immediate aftermath of an incident, might be extensive and can include regulatory fines, increased insurance premiums, reputational damage, and loss of market share. However, business disruption may be the most significant cost and the most difficult to estimate.
“The really big thing here is understanding just how long a business interruption takes,” Draeger said. “A short ransomware incident can take about three weeks. More often, recovery takes months. And we’ve seen, especially with a couple of recent libraries, it can take over a year to get all of their services back up and running.”
Most of these items are covered by insurance, but one significant expense, the betterment of organizational systems after the incident, is not. “You’re on your own,” Draeger said. “You’re going to need to invest your organization’s dollars to do that.”
The importance of practice in estimating costs
Quantifying the costs of an incident in advance is an inexact art greatly aided by tabletop exercises. “The best way in my mind to flush all of this out is by going through a regular incident response tabletop exercise,” Gary Brickhouse, CISO at GuidePoint Security, tells CSO. “People know their roles so that when it does happen, you’re prepared.”
It also helps to develop an incident response (IR) plan and practice it frequently. “I highly recommend having an incident response plan that exists on paper,” Draeger says. “I mean literal paper so that when your entire network explodes, you still have a list of phone numbers and contacts and something to get you started.”
Not only does the incident response plan lead to better cost estimates, but it will also lead to a quicker return of network functions. “Practice, practice, practice,” Draeger says. “Absolutely practice every step of your incident response plan and whatever your critical processes are. Be able to run manually. Be able to run on paper. If it requires that a form is printed out, have a stash of them somewhere. Whatever you need to do to run without your network until you can get your network up, have that system already in place.”
Stephen Boyer, founder and chief innovation officer of Bitsight, tells CSO that one big handicap CISOs face is the lack of a common method for calculating incident costs. CISOs can rely on various risk management models to calculate the expected costs of some variables that make up breach costs, including the widely used Fair Institute methodology or the Monte Carlo Simulation, to name two of the most frequently used methods.
“But, there’s not a universally accepted standard for measuring and predicting the losses,” Boyer says. Miscalculating the costs can significantly damage a CISO’s reputation or even lead to job loss. “If something comes back and we have an annual expected loss of $50 million, maybe it’s $54 million, maybe it’s $48 million. But if then something comes back and you have a loss of $60 million, it’s like, ‘Hey Steven, you’re an idiot.'”
“The average lifespan of a CISO is around 18 to 24 months, which is not what I want for a member of my executive team,” Draeger says, speaking of the potential fallout for CISOs. “We have seen CISOs being used as something of a scapegoat, which shows a fundamental lack of understanding of how to use these people well.”
Be proactive in communicating incident costs
After developing the breach cost estimates, CISOs benefit from communicating them to the board and other leaders as soon as possible, ideally well before an incident occurs. “Proactivity is better than reactivity,” according to Boyer.
“Let’s say I’ve not been hit with a ransomware attack,” he says. “There’s been no business email compromise, but I know it’s only a matter of time before these things will happen. Do I have to develop all this in advance and give it to the board or the C-suite, or do I wait and have it already and then give it to them? Is it incumbent on them to be proactive now before anything happens? I believe that you almost always want to be proactive.”
Proactively informing the board and leadership also helps spread the risk. “If you want to do any amount of risk transfer, which is insurance, you’re going to have to go through this exercise anyway because you’re going to need to decide how much coverage you want,” Boyer says.
Brickhouse advises CISOs to establish “cadence and communication” with top management and the board before something happens. He also suggests that CISOs should reach out to top management and the board to take advantage of the timing of highly noteworthy cybersecurity incidents.
“We always talk about never letting a good headline go to waste,” he tells CSO. “Never let a good crisis go to waste. And so, when you see other organizations with data breaches, [tell the board], ‘Hey, this company, it just cost them $4 million.’ That’s a great opportunity to go in front of your board and talk about what’s happening in the industry right now. You can say we just saw a company, and maybe if it was in your same industry, they had this issue; this is how it happened and how much it cost. Oh, by the way, if this were to happen here, here’s what we’re thinking about.”
The bottom line for Brickhouse: “There is definitely something to be said about building that rapport with the board and talking about it in that context before ever having your own incident.”