Average Data Breach Cost Hits All-time High of $4.4M

According to IBM’s annual Data Breach report, the average cost of a data breach reached an all-time global high of $4.45 million, up 2.3% from 2022 and 15.3% since 2020.

While $4.45 million is the average across the 16 countries included in IBM’s survey of 553 organizations, breaches in the United States cost far more than the average. The 2023 average hit $9.48 million, according to the report.

Health care organizations saw even more of a jump—the average cost of a breach for the sector rose 53.3% in the same period, IBM said in its 2023 report. This year was the thirteenth in a row when the health care sector reported the highest average breach cost (now at $10.93 million). The average cost per breached record increased slightly to a new high—up to $165 per record from $164 one year ago. This has jumped from $146 in 2020, IBM noted. The survey assessed breach events with a range of 2,200 to 102,000 records.

In its survey, the firm highlighted breach investigation tactics that could either reduce costs or increase them. For example, organizations that didn’t call in law enforcement during ransomware attacks experienced an extra $470,000 in costs on average and faced longer recovery times.

“While 63% of respondents said they involved law enforcement, the 37% that didn’t paid 9.6% more and experienced a 33-day longer breach lifecycle,” IBM noted. Longer breaches, in general, produce higher than average costs—events stretching over 200 high $4.95 million on average, while those at fewer than 200 days cost 23% less at $3.93 million.

Threat detection costs appeared to drive the average breach cost, rising 42% in the last three years, according to the report, suggesting cyber event investigations have become more complex.  Just one in three respondents said their own security teams detected breaches—it was far more likely (67%) for third parties or attackers themselves to reveal intrusions. Organizations also faced nearly $1 million in extra costs when cyber threat actors disclosed breaches. Cyber attackers also showed an increasing preference for infiltrating the cloud – 82% of the breaches evaluated involved cloud data in public, private, or hybrid environments. When threat actors could access multiple environments, breach costs skewed even higher, up to an average of $4.75 million.

Despite higher costs, just 51% of organizations said they planned to increase their cybersecurity spending. Instead, more than half (57%) said they would pass the costs through to customers. Nearly all (95%) surveyed organizations had experienced more than one breach.

One area where organizations may want to invest more is in artificial intelligence tools to help detect breaches. Businesses leveraging AI and automation tools extensively in their networks identified and contained breaches, on average, 108 days quicker than their less tech-forward counterparts and saw average costs of $1.76 million lower than other organizations.

“Time is the new currency in cybersecurity, both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach,” said Chris McCurdy, general manager, worldwide, IBM Security Services, in a statement. “Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders’ speed and efficiency—such as AI and automation—are crucial to shifting this balance.”

This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2023 Zywave, Inc. All rights reserved.