IBM's annual Cost of a Data Breach report puts the global average at $4.45 million in 2023. That number gets cited a lot. It also gets dismissed a lot — "we're not that big, our breach wouldn't cost that much." Both reactions miss the point.
Understanding what goes into breach costs is what matters. The number isn't what's useful — the breakdown is.
The Costs People Think About
Incident response. Forensic investigation to understand what happened, how, and what was accessed. For a meaningful breach, this runs $50,000–$200,000+ depending on complexity.
Notification. Every US state has breach notification laws. Most require notification to affected individuals within 30–60 days. For a breach involving health or financial data, there are additional federal requirements. Notification logistics — mailing, call center, credit monitoring — add up fast.
Legal and regulatory. Depending on the data involved and your industry, you may face regulatory fines (FTC, HHS, state AGs), class action exposure, or both. Healthcare breaches draw particular scrutiny from HHS OCR.
The Costs People Underestimate
Business disruption. If attackers encrypted your systems, how long are you down? What's your daily revenue? What contracts are at risk if you can't deliver? Downtime costs frequently exceed direct incident response costs.
Customer churn. Research consistently shows that data breaches erode customer trust — and that trust takes years to rebuild. The customers who leave quietly don't show up in your incident cost estimate, but they absolutely show up in your financials.
Reputational damage. This is the hardest to quantify and often the most lasting. Enterprise prospects run security assessments. A breach that shows up in public records can cost you deals for years.
Employee time. Your team's time has a cost. Every hour your CTO, legal counsel, HR director, and operations team spend on breach response is an hour they're not spending on the business. This rarely gets accounted for in breach cost estimates.
What This Means for Security Investment
The purpose of security investment isn't to eliminate risk — that's not achievable. The purpose is to reduce risk to an acceptable level at a reasonable cost.
When you're deciding whether a security control is worth the investment, the math should look like this: what's the probability of a breach without this control, what's the expected cost if a breach occurs, and what does the control cost? If the expected value of the control exceeds its cost, it's worth doing.
Most organizations don't do this math explicitly. They rely on gut instinct, peer benchmarking, or compliance requirements. That's fine as a starting point — but organizations that approach security investment analytically consistently make better decisions.
Cyber Insurance Fills Gaps, Not Gaps You Don't Plan For
Cyber insurance is an important risk transfer tool, but it's not a substitute for controls. Insurers increasingly require documented controls as a condition of coverage. And policies have sublimits, exclusions, and retentions that mean your coverage won't cover everything.
Know what your policy covers. Know what it doesn't. And build your security program to address the gaps that insurance won't fill.