Data Breach Costs Can Run into the Millions. Can Artificial Intelligence Act as a Risk Management Bulwark?
IBM Security’s recently published Cost of a Data Breach Report 2021 confirms trends that insurers and their clients have recognized anecdotally, and it highlights measures companies can take—especially adopting artificial intelligence (AI)—to reduce the cost of inevitable security breaches.
Analyzing the Ponemon Institute’s research into 537 actual breaches across 17 industries worldwide, IBM Security found a 10% increase in the total cost of each breach, the largest increase in the last seven years. In fact, the $4.24 million average cost per breach, up from $3.86 million from last year, was the highest in the 17 years that study has been conducted.
Unsurprisingly, the pandemic played a significant role fueling the increase—when remote work was a factor, the cost of breaches was $1.07 million higher.
“Additionally, organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely,” the report said.
Breach costs were highest in the health care industry, jumping to $9.23 million this year from $7.13 million in last year’s study, followed by the financial industry and pharmaceuticals.
Corey Hamilton, financial services partner on IBM’s global security services team, noted the direct relationship between cost and the types of data compromised. Personal customer data are critical to the financial and especially health care industries, making them lucrative targets for cyber attacks. In addition, those organizations incur steep regulatory- and compliance-related costs when breaches occur.
“And loss of intellectual property is a significant cost in industries such as pharmaceuticals,” Hamilton said.
Breach costs reported by insurers and in other studies often focus on the insurers’ claims data, the hard-dollar costs associated with incident response (IR) and investigation, said Robert Rosenzweig, national cyber risk practice leader at Risk Strategies Company. He added that the IBM study also includes related factors, such as the potential for business interruption and reputational impact.
“It’s enlightening, in that those costs probably are closer to the reality of the total business impact you could have on an effected organization,” Rosenzweig said.
Analyzing Data Breach Business Interruption Costs
In fact, business interruption costs can be particularly extensive, said Christine Flammer, team leader, cyber and technology, at AXA XL, pointing to the study’s finding that lost business made up 38% of total breach costs.
“What stood out for me, and what I’m hoping insured organizations are understanding, is the business-interruption portion of this,” Flammer said.
“We often see insured buying cyber insurance to cover ransom payments and IC costs, but it surprises me how often they are blindsided by the business interruption side of the breach.”
She added that organizations are frequently under the false assumption that once the ransom is paid, they can press a button to get the business up and running again. However, the data restoration process can take weeks and even months after the incident occurs.
“While the business may not be shut down at that point, it’s a massive disruption,” she said. “And the more complex the organization, the longer it will take to go through each system to get it back up and running.”
How Artificial Intelligence Can Help
Flammer said the IBM study largely confirmed trends that AXA XL has seen, but another finding that stood out is the 80% cost difference when security artificial intelligence (AI) and automation was fully deployed compared to no deployment — $2.90 million compared to $6.72 million.
The share of organizations responding to the study with fully or partially deployed security AI and automation, used to identify and contain breaches faster, was 65% in 2021 compared to 59% last year.
A zero-trust approach to security also significantly reduced breach costs.
Such an approach assumes user identities or the network itself may be compromised and uses AI and analytics to continuously validate connections users, data and resources. The study found the average cost for organizations employing zero trust to be $3.28 million compared to $5.04 million for those without, a savings of $1.76 million, or 35%.
In addition to AI and zero-trust measures, the study provides several other recommendations to help minimize the financial impacts of a data breach. They include stress testing the organization’s IR plan to increase cyber resilience and using tools to help protect and monitor end-point devices, such as laptops and smart phones, and especially those used by employees working remotely.
Rosenzweig said that in addition to endpoint detection, important security measures his firm is talking to clients about are multi-factor authentication, in which users are granted access by presenting two or more pieces of evidence to an authentication mechanism, and regular encrypted backups of data.
“Those are the controls that are important to focus on regardless of whether the ultimate goal is to procure cyber insurance, because they are the controls that help from a risk-management standpoint,” Rosenzweig said.
Flammer said that the low-hanging fruit in terms of key measures for organizations to implement to lower breach costs, including those without the resources to install state-of-the-art technology solutions, are an IR team and regular IR plan testing.
According to the 2021 IBM study, the average cost of breaches at organizations with both IR teams and plan testing was $3.25 million, compared to $5.71 million in organizations without those elements, 43% less.
“The ability to stress test your IR plan is critical,” Hamilton said.
Cyber insurance can also help minimize financial losses related to breaches, Flammer said, adding that AXA XL encourages clients to implement and routinely test IR plans, to develop “muscle memory” in order to “hit the ground running” should a breach occur. That requires communicating with their carriers about which vendors they have vetted that can be contacted in the event of a breach.
“Those organizations tend to fair much better financially in the wake of an incident than those we’ve never heard from,” Flammer said. “It takes the mystery out of how to respond to data breaches.
In fact, the IBM study shows the average cost of breaches that took less than 200 days to detect and contain to be nearly 26% lower than those that took more than 200 days — $3.61 million compared to $4.87 million. That gap of $1.26 million compared to $1.12 million in 2020.
“That means the beneficial cost impact of containment in less than 200 days grew from 2020 to 2021,” the study says. &