LONDON: The worst data breach incidents are costing UK businesses between £1.5 million and £3m on average through business disruption, lost sales and assets and damage to reputation, new research by the UK government and consultancy PwC has found.03 Jun 2015
IT Security Data protection Insurance TMT & Sourcing UK Europe
The most severe data breach incidents experienced by large businesses cost those companies at least £1.5 million on average and in some cases more than £3m, the information security breaches survey 2015 found. Almost all businesses experienced at least one data breach incident in the past year, with 90% of large organisations and 74% of small businesses reporting a security breach in the survey.
“This is a real reminder of the true costs of information security beaches, over above the potential for regulatory fines and civil claims, and the administrative costs are set to rise under the General Data Protection Regulation currently being negotiated at EU level,” said data protection law expert Lucy Jenkinson of Pinsent Masons, the law firm behind Out-Law.com.
According to the study, there has been a near tripling in the cost to businesses of the worst data breaches they experienced, compared to figures obtained in the information security breaches survey in 2014.
The biggest cost to businesses stemming from a data breach incident relate to business disruption caused by those incidents, the report found, with costs ranging from between £800,000 and £2.1m on average for disruption spanning four to 11 days.
Other costs of data breaches, including from the loss of assets such as intellectual property, lost business and in time and money spent responding to incidents were also highlighted, together with costs associated with the reputational damage experienced by businesses.
“The average cost of the worst single breach suffered by organisations surveyed has gone up sharply for all sizes of business,” the information security breaches survey 2015 report said. “For companies employing over 500 people, the ‘starting point’ for breach costs – which includes elements such as business disruption, lost sales, recovery of assets, and fines & compensation – now commences at £1.46 million, up from £600,000 the previous year. The higher-end of the average range also more than doubles and is recorded as now costing £3.14 million (from £1.15 in 2014).”
Half of the worst breaches could be attributed to “inadvertent human error”, according to the report. However, larger businesses are also becoming more of a target for cyber attacks, it said.
“Considering all breaches, there was a noticeable 38% year on year increase of unauthorised outsider attacks on large organisations, which included activities such as penetration of networks, denial of service, phishing and identity theft,” the report said. “Overall, three-quarters of large organisations suffered from this type of attack in 2015, up from just over half the previous year.
According to the report, only 39% of large organisations and 27% of small companies believe they have insurance that would cover them in the event of a data breach. However, only a minority of those companies have dedicated cyber risk or data breach insurance cover, it said.
“For the organisations who claimed to have coverage, the majority believe that their existing insurance policies would cover their costs in the event of a breach, with a corresponding minority stating that they had purchased a specific cyber insurance policy,” the report said. “Of the organisations which have not purchased insurance, 12% were intending to purchase a policy in the next year, 47% felt that it was not a priority and 19% were not even aware of the existence of such coverage.”
