Cybersecurity Incident? That’ll be $200K Please



Brand new computer: $1,500. Hiring an information technology security administrator: $63,000 a year. Money saved by preventing a cybersecurity incident? Not priceless—it’s actually about $200,000 per event, according to a recent RAND Corp. study.

The $200,000 costs is about the same as a “typical company’s annual information security budget,” the study said. Sasha Romanosky, policy researcher at RAND and author of the study, said that the cost of a typical cybersecurity breach affecting a U.S. company is much less than generally estimated. 

“Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think,” he said. The costs of cybersecurity incidents were lower than losses caused by fraud, theft, corruption or debt, the study said.

Romanosky examined 12,000 cybersecurity incidents that were divided into four categories: data breaches disclosing personal information; security incidents resulting in disrupted business services or theft of intellectual property; harvesting personal information through phishing or skimming attacks; and unauthorized collection, use or transfer or personal information.  

Given the low cost of dealing with cybersecurity incidents and surveys that indicate that consumers are “mostly satisfied with the ways companies respond to data breaches,” companies don’t have the incentive to increase investments in data security and privacy protection measures, the study said.

However, another recent study gives a different number for a single cybersecurity incident cost. According to a report by Kaspersky Lab, one cybersecurity incident costs large businesses an average of $861,000 and small- and medium-sized businesses pay an average of $86,500.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.