Global Average Cost of a Data Breach Reaches $4.88M in 2023

Business disruption and response costs drive up cost of breaches, while AI is lowering costs and plugging talent gaps, IBM finds.

By: R&I Editorial Team | August 7, 2024

Topics: Cyber | News

The global average cost of a data breach has risen to $4.88 million, a 10% increase from $4.45 billion the previous year, according to IBM’s annual Cost of a Data Breach Report for 2024.

For the 14th year, the report found that U.S. companies in 2023 had the highest average data breach costs, or $9.36 million, among 16 countries and regions surveyed.

By industry, the health care sector incurred the highest average costs from a data breach in 2023, $9.77 million, followed by financial services, $6.08 million, industrial, $5.56 million, and technology firms, $5.45 million, according to IBM.

“Businesses are caught in a continuous cycle of breaches, containment and fallout response,” commented Kevin Skapinetz, vice president, strategy and product design for IBM Security. “As generative AI rapidly permeates businesses, expanding the attack surface, these expenses will soon become unsustainable, compelling businesses to reassess security measures and response strategies.”

The report, based on an in-depth analysis of data breaches experienced by 604 organizations globally, indicates that breaches have become more disruptive, increasing demands on cyber teams. IBM found that 70% of breached organizations reported that the breach caused significant or very significant disruption.

The rise in costs of data breaches is fueled in part by an 11% increase in lost business and post-breach response costs, the study noted. Breaking down the components of data breach costs, detection and escalation expenses accounted for the greatest share of 2023 costs, or $1.63 million, followed by lost business costs (loss of revenue, customers and reputation), at $1.47 million. Post-breach response costs totaled $1.47 million while notification expenses were $430,000 on average.

The mean time to identify and contain a data breach declined in 2023 to a seven-year low of 258 days, IBM reported. This included 194 day mean time to identify and 64 day mean time to contain a breach.

Among organizations that had recovered from a data breach, more than three quarters said it took more than 100 days to recover, including 35% that said it took more than 150 days. Only 3% of firms reported being able to recover in less than 50 days.

Impact of Cybersecurity Staffing

The IBM report found more than half of breached organizations had severe or high-level staffing shortages last year, up 26.2% compared with 2022.

Organizations facing severe staffing shortages experienced an average of $1.76 million in higher breach costs, according to the report.

“Even as 1 in 5 organizations say they used some form of gen AI security tools — which are expected to help close the gap by boosting productivity and efficiency — this skills gap remains a challenge,” the report noted.

However, IBM’s report stated that the implementation of AI-powered cybersecurity prevention has proved beneficial, with organizations deploying security AI and automation incurring an average $2.2 million less in breach costs and containing incidents on average 98 days faster.

Types of Data Compromised

The most common type of data stolen or compromised was customer personally identifiable information (PII), at 48% of breaches in 2023, down from 52% in 2022. Employee PII was compromised in 37% of breaches, down from 40%. Intellectual property was compromised in 43% of breaches, up from 34%.

The study also highlighted the growing challenge with tracking and safeguarding data, with 40% of breaches involving data stored across multiple environments and more than one-third of breaches involving shadow data, which is unmanaged data sources, IBM reported.

Attack Vectors for a Breach

Stolen or compromised credentials was the most common initial attack vector in 2023, accounting for 16% of breaches, IBM found. Phishing was the second leading vector, followed by cloud misconfiguration.

The average cost of a breach when attackers used stolen or compromised credentials was $4.81 million, while phishing and business email compromise each resulted in average costs of $4.88 million.

“Malicious attacks — those committed by outside attackers or criminal insiders — made up 55% of all breaches. As concerning as these breaches are, it’s important to remember the remaining 23% are due to IT failure and 22% are due to human error,” the report noted.

For a full copy of the report, visit IBM’s website. &

The R&I Editorial Team can be reached at [email protected].

Vermont’s Future Is Golden

Challenging market conditions are driving insureds to captives. Vermont offers a reliable domicile.

By: State of Vermont | November 21, 2024

Hard markets in commercial insurance lines have been a problem for years now. Many lines don’t show signs of softening, though some, like cyber, have ebbed over the past few years.

High claims volumes and costs have caused carriers to tighten terms and conditions, introduce new exclusions and increase premiums. A variety of different risks are included in this market tightening, and it’s affecting both public and private companies.

As Sandy Bigglestone, deputy commissioner for the State of Vermont’s captive insurance division, explained, schools, churches and other nonprofits are contending carriers are “excluding sexual abuse and molestation from coverage for a lot of these types of entities. These organizations understand the risk and the public needs to have confidence the organizations are addressing the risks, so they must have the coverage.”

Though many commercial lines are affected, property has perhaps been hit the hardest. Increased claims, inaccurate property valuations and other challenges have caused insurers to tighten their books in recent years. 2024’s spate of hurricanes will likely make matters worse.

“There continues to be challenges in the commercial market,” Bigglestone said. “Some companies are coming to us with risks that they say they’ve been self-insuring on their balance sheet, and why not transfer that to a captive to receive greater benefits?”

Consistency and Stability

Sandy Bigglestone, Deputy Commissioner for the State of Vermont’s Captive Insurance Division

With the commercial insurance market so unstable, companies are turning to captives to house their exposures. Vermont, a long-time domicile, is getting increased attention because of their strong reputation and their leadership as the top domicile worldwide.

“All stakeholders enjoy the stable political and regulatory environment Vermont has to offer to operate in,” Bigglestone said.

Of course, a lot of consideration goes into deciding whether or not a captive is the right choice for a particular company. Businesses need to assess their exposures and their books to make sure they can adequately operate a captive.

There are significant advantages, however. “For low frequency, high severity risks, captives can access the reinsurance markets directly, so it’s very attractive for businesses to put a captive in place,” Bigglestone said.

And carriers are more accepting of captives as part of a broader insurance program.

“Captives are changing the relationship businesses have with commercial carriers,” Bigglestone said. “Commercial carriers are wanting to see companies with skin in the game; therefore, the relationships have evolved to be less transactional and more strategic.”

Balancing Bureaucracy

With 76 global domiciles, companies have a lot of options when it comes to selecting a captive partner. “Captive insurance domiciles compete globally for the business,” Bigglestone said. “If you were to put all 7,000-plus captive insurance companies around the world, all in New York, it wouldn’t have the same economic impact as 700 captives in Vermont does. The captive insurance industry is very important to our state and we will continue to support it in any way we can.”

Businesses should look for domiciles that balance a need for quality regulations with a process that isn’t overly bureaucratic and is seamless for business owners to navigate.

“Companies are attracted to an environment with quality regulatory standards and a stable regulatory environment,” Bigglestone said. “Vermont sets the regulatory standard in terms of financial analysis and examinations.”

In addition to quality regulations, firms will want to seek out a domicile that is agile enough to license captive insurance companies that fit their unique needs. It is important that a domicile have firm but fair regulation and the experience to consider new ideas and implement them. Companies must consider a variety of factors when choosing a domicile and not everyone will be the right fit for every company.

“You have to consider the captive owner and the industry sector that that owner operates in, as well as the insurance risks that are going into the captive program,” Bigglestone said. “Captive laws and regulations have to have a reasonable degree of flexibility to accommodate all the varying needs of owners and then impose rules based on the merits of each captive program.”

She added that creativity is a critical part of the process: “The ability to vet concepts and ideas with trusted individuals is key to having quality standards,” Bigglestone said. “And it can make captives appealing to insureds who are tired of commercial carriers not meeting the needs of the business, and who desire more control over their insurance programs.”

“When you think about the commercial marketplace, commercial insurers are supposed to operate in each jurisdiction in a competitive manner. Commercial carriers often look the same. They sell auto coverage to anyone with a driver’s license. The rules and regulations imposed upon commercial insurance companies are designed to be more formulaic for that reason,” Bigglestone said.

“Uniform regulatory standards apply to commercial carriers for the protection of the policyholders. These are standards all insurance regulators focus on, and standards captive insurance regulators need to understand, but with a specialized focus.”

A Quality Domicile Built for the Future

A combination of experience, regulatory standards and talent make Vermont a top domicile for companies looking to form a captive. The longevity of licensing captive insurance companies for over forty years is a testament to the quality work they’ve provided in the past and will continue to provide for many years to come.

Vermont’s reputation has helped the state attract and retain top captive talent, ensuring the businesses it serves are in good hands. The state has 32 employees dedicated to captives, and their average employee retention is 15 years. The Vermont Captive Insurance Association, the largest captive insurance trade organization, also helps companies connect with professional services needed to make their captive successful.

“There’s a whole host of service providers with proven expertise right here in Vermont,” Bigglestone said.

Taken together, Vermont’s resources, expertise and talent make it a prime domicile. They’ve been on a growth trajectory over the last few years and that’s unlikely to change anytime soon. Companies can trust their captive will be in good hands when they choose Vermont.

“Vermont has always competed on quality,” Bigglestone said. “We do have a mission and that hasn’t changed in over 40 years. It’s to maintain a system, or domicile that attracts quality business to Vermont, to promote our reputation in the industry, and to uphold a regulatory framework to protect the solvency of the companies that choose to place their business here.”

To learn more, visit: www.vermontcaptive.com

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with State of Vermont. The editorial staff of Risk & Insurance had no role in its preparation.

The State of Vermont, known as the “Gold Standard” of captive domiciles, is the leading onshore captive insurance domicile, with over 1,200 licensed captive insurance companies, including 48 of the Fortune 100 and 18 of the companies that make up the Dow 30.