Menu Close

Data Breach

Boards Must Ask: What are the costs of a breach?

By
Branko Terzic

Members of the Board of Directors of U.S. Critical Infrastructure companies should look closely at the 2024 IBM Cost of Data Breach Report. The study includes energy, public sector, communications, finance, healthcare, technology, transportation in this category. In my discussions with electric, gas and water utility executives and directors I note that there is an understanding of the vulnerability of infrastructure to hacker attacks but not an awareness of what the costs of such an attack would be.

What is the cost to a regulated public utility of not being protected from breaches in IT and OT systems by hackers?

The IBM study answers that question. An analysis of the study provides an estimate of an average of $11 million dollars costs for a data breach of a critical infrastructure company in the US.

Cost of Breach
Globally average cost of data breach $4.45 Million
Globally average cost of data breach for Energy $4.78 Million
Globally cost of date breach for infrastructure $5.24 Million
Globally cost of data breach for other industries $3.78 Million
U.S. average Cost of Data Breach $9.48 Million

Making the assumption that US infrastructure costs, similar to global average costs, are 18% higher than the $9.48 M average U,S, Costs of Data Breach yields a U.S. average cost of data breach for infrastructure of $11 Million.

The IBM report also indicated that it took the average firm 207 days to even identify a breach. Most surprisingly IBM reports that more than a quarter of the breaches were brought to the company’s attention by the hackers themselves.

Identifying Attackers

                  33% organization internal security teams

                  40% benign third party – law enforcement

                  27% by attacker

Sources of Costs Incurred After Breach

The study also provides a breakdown of the various costs incurred after a breach.

Detection and Escalation

Forensic and investigative, assessment and audit service crisis management, communications to executive and boards

Notification

Emails, letters, outbound calls or general notices to data subjects, determination of regulatory requirements, communications with regulators, engagement of outside experts

Post-breach response

Help desk and inbound communications, Credit monitoring and identity protection services Issuing of new accounts of credit cards. legal expenditures, product discounts, regulatory fines

Lost business

Business disruption and revenue losses due to system downtime, cost of losing customers and acquiring new customers, reputational damage and diminished goodwill.

PSC and FERC Regulation

Public utility infrastructure companies have all of the same governmental oversight concerning cybersecurity for corporations plus the additional level of state public service commission (PSC) regulation and even possibly have operations under regulation by the Federal Energy Regulatory Commission (FERC).  While “post breach response” cost category identifies “regulatory fines” that may be an understatement as these regulators have much more authority than just imposing fines.

The Board member job at an infrastructure company just became a whole lot more significant.

REF: https://www.ibm.com/reports/data-breach


The Honorable Branko Terzic is a former Commissioner on the U.S. Federal Energy Regulatory Commission and State of Wisconsin Public Service Commission, in addition to energy industry experience was a US Army Reserve Foreign Area Officer ( FAO) for Eastern Europe (1979-1990). He hold a BS Engineering and honorary Doctor of Sciences in Engineering (h.c.) both from the University of Wisconsin- Milwaukee. 

#BrankoTerzic #energy #regulations #experience #research #future #opportunity #strategy #management #people #cybersecurity #hacking #security #technology #hacker #infosec #ethicalhacking #cybercrime #tech #linux #cyber #hackers #informationsecurity #cyberattack #programming #malware #kalilinux #privacy #cybersecurityawareness #coding #datasecurity #dataprotection #python #ethicalhacker #hack #it #computerscience #pentesting #informationtechnology #business