Skip to content

Search Marco

    Cyber Incident Response: The Real Cost of Not Having a Plan or Cyber Insurance

    By: Mike Burgard
    May 25, 2021

    Small business cyber breach costs add up at lightning speed. If you want to understand why, imagine that your house floods. We all know it’s not just the carpets you'll have to pay to replace.

    From the time spent trying to sort out the mess, to never being able to replace those old photographs that Grandma handed down to you, costs add up in ways you might never have considered. The lesson is that not all losses are monetary, but they are all significant.

    While the impact of a cyberattack hits companies large and small to different degrees, the damages caused by a data breach can put a huge dent in your business regardless of its size.

    We’ve compiled a list of losses that will surprise you—and we hope will convince you that you need a plan.

    employees standing in front of server bank

    Let’s talk numbers

    • The average cost of a malware attack on a company is $2.6 million.
    • The average cost of a data breach is $3.9 million.
    • The estimated downtime costs for small/midsize businesses hover around $23,000.

    We assume these are numbers you don't enjoy reading. Fortunately, you don’t need to worry about them as much if you have an IT incident-response plan.

    Many of the losses that comprise these statistics aren’t necessarily costs you think of right away. So, don’t wait for the brain fog that sets in after a cyberattack. Start learning what costs you might be looking at, if you don’t already have a plan in place, by checking out the list below.

    Monetary losses you’ll face in the event of a breach

    1. Incident response firms

    These costs range anywhere from $30,000 to $150,000. All 50 states have different privacy laws, but you may have to notify your lawyers or all your clients, depending on how big of a loss you’re facing.

    Unfortunately, this will come out of your pocket. If you opt out, you might violate disclosure laws by withholding information on what happened and how.

    2. Ransom

    When hackers gain access to your information, they’ll often request a ransom in exchange for retrieval of the lost data.

    The majority of corporations pay an average of $178,000 with fear that the exfiltrated data might still be leaked on public platforms elsewhere. The important thing to know here is, that the FBI suggests to never pay that ransom. At the very least, never negotiate or pay a ransom yourself; always involve the experts.

    3. Incident recovery services

    Chances are, you have a backup of data. Oftentimes, those online backups can become corrupted, as well, if hackers have gained access to or tampered with passwords.

    Backup and restoration services are costly and time-consuming. Fortunately, companies often cover the cost of these services if you commit to a cyber insurance plan.

    4. Equipment recovery

    For example, say you have to buy 50 new laptops because your company’s PCs are now fried. That’s a tough pill to swallow, not to mention the various other equipment losses you might face.

    These numbers can range drastically depending on your business type, because equipment costs get expensive fast.

    5. Legal services

    We estimate that legal fees can add up to about $25,000 fairly quickly. In the event you’re facing a lawsuit, getting professionals involved with crunching the numbers and hunting down criminals isn’t cheap.

    These fees include the hiring of IT security, risk management consultants, lawyers, investigators and auditors.

    Assess Your Security Level

    The hidden losses that are harder to quantify

    1. Insurance premium increases

    In the event you lack cyber insurance at the time of a data breach, seeking insurance after the attack will come with a price. If you don’t have cyber insurance already, you should get it today.

    Even those business owners with some type of cyber insurance could face higher renewal fees—and often have their cyber “maturity” within their corporation questioned.

    2. Loss of Customers

    Studies show that people are less likely to do business with a company following a public data breach. It’s hard to estimate the dollar amount placed on customer disengagement, but that number can be hefty, if you don’t act fast after a breach. Issuing immediate apologies and letting your customers know what you’re doing to improve security can help curb the damage.

    3. Operational destruction

    Cyberattacks are often linked to operational facilities and online infrastructure used in the day-to-day tasks within a company.

    This might mean building temporary infrastructure, rebuilding current programs and increasing resources to replace system shutdowns. Having to unplug and isolate computers (or taking time to figure out what system the hacker is tampering with) can cost you in the long run.

    4. Increased borrowing fees

    Following a cyber security incident, victims often will see a spike in borrowing or reborrowing fees due to a drop in credit score rating.

    Although you might feel the attack was out of your control, lenders might not see it that way and penalize you with higher interest rates. Having an airtight incident response might help you avoid that, and it will certainly paint you in a better light.

    5. Downtime

    What’s the loss of income if you have to shut your doors for 72 hours? It might not seem huge, but depending on the size of the breach, the shutdown includes the cost of paying wages, rent and utilities for these days—while suffering a loss of productivity.

    You might also have to pay for setbacks this could cause with customers. Plan how you can salvage your productivity during downtime, and check with your cyber insurance plan to see if income loss is covered.

    Takeaway: It’s just too big of a financial risk.

    The overall cost of a cyber incident without cyber insurance can cost you anywhere from $450,000 to $850,000. Let’s be real: That’s a large expense for any company.

    The only ways to avoid these perilous numbers are to put an emphasis on cyber security awareness and have a plan to mitigate the damage in case disaster strikes. Marco is here to ensure you’ve got an incident response plan that fits your needs.

    Identify, Assess, Develop and Track Cyber Security Risks Learn About IdentifyIT

    Topics: Security