Boards Must Ask: What are the costs of a breach?
By
Branko Terzic
Members of the Board of Directors of U.S. Critical Infrastructure companies should look closely at the 2024 IBM Cost of Data Breach Report. The study includes energy, public sector, communications, finance, healthcare, technology, transportation in this category. In my discussions with electric, gas and water utility executives and directors I note that there is an understanding of the vulnerability of infrastructure to hacker attacks but not an awareness of what the costs of such an attack would be.
What is the cost to a regulated public utility of not being protected from breaches in IT and OT systems by hackers?
The IBM study answers that question. An analysis of the study provides an estimate of an average of $11 million dollars costs for a data breach of a critical infrastructure company in the US.
| Cost of Breach | |
|---|---|
| Globally average cost of data breach | $4.45 Million |
| Globally average cost of data breach for Energy | $4.78 Million |
| Globally cost of date breach for infrastructure | $5.24 Million |
| Globally cost of data breach for other industries | $3.78 Million |
| U.S. average Cost of Data Breach | $9.48 Million |
Making the assumption that US infrastructure costs, similar to global average costs, are 18% higher than the $9.48 M average U,S, Costs of Data Breach yields a U.S. average cost of data breach for infrastructure of $11 Million.
The IBM report also indicated that it took the average firm 207 days to even identify a breach. Most surprisingly IBM reports that more than a quarter of the breaches were brought to the company’s attention by the hackers themselves.
Identifying Attackers
33% organization internal security teams
40% benign third party – law enforcement
27% by attacker
Sources of Costs Incurred After Breach
The study also provides a breakdown of the various costs incurred after a breach.
Detection and Escalation
Forensic and investigative, assessment and audit service crisis management, communications to executive and boards
Notification
Emails, letters, outbound calls or general notices to data subjects, determination of regulatory requirements, communications with regulators, engagement of outside experts
Post-breach response
Help desk and inbound communications, Credit monitoring and identity protection services Issuing of new accounts of credit cards. legal expenditures, product discounts, regulatory fines
Lost business
Business disruption and revenue losses due to system downtime, cost of losing customers and acquiring new customers, reputational damage and diminished goodwill.
PSC and FERC Regulation
Public utility infrastructure companies have all of the same governmental oversight concerning cybersecurity for corporations plus the additional level of state public service commission (PSC) regulation and even possibly have operations under regulation by the Federal Energy Regulatory Commission (FERC). While “post breach response” cost category identifies “regulatory fines” that may be an understatement as these regulators have much more authority than just imposing fines.
The Board member job at an infrastructure company just became a whole lot more significant.
REF: https://www.ibm.com/reports/data-breach
The Honorable Branko Terzic is a former Commissioner on the U.S. Federal Energy Regulatory Commission and State of Wisconsin Public Service Commission, in addition to energy industry experience was a US Army Reserve Foreign Area Officer ( FAO) for Eastern Europe (1979-1990). He hold a BS Engineering and honorary Doctor of Sciences in Engineering (h.c.) both from the University of Wisconsin- Milwaukee.
#BrankoTerzic #energy #regulations #experience #research #future #opportunity #strategy #management #people #cybersecurity #hacking #security #technology #hacker #infosec #ethicalhacking #cybercrime #tech #linux #cyber #hackers #informationsecurity #cyberattack #programming #malware #kalilinux #privacy #cybersecurityawareness #coding #datasecurity #dataprotection #python #ethicalhacker #hack #it #computerscience #pentesting #informationtechnology #business