Data breach costs: Businesses lose 73% of their income in the year following an incident

Data breach image: Digital cloud and network security. 3D computer hardware illustration.
(Image credit: Getty Images)

Companies that suffer data breaches face a significant drop in income on top of the typical associated remediation costs, new research has suggested. 

A report from ExtraHop found that public companies experience an average net income drop of 73% within the first year of a data breach’s disclosure, highlighting the painful financial repercussions of security incidents. 

The company’s analysis focused on the overall costs associated with data breaches at six unnamed organizations, taking into account potential regulatory fines, legal settlements, and cyber insurance costs on top of any impact to earnings.

“Nearly all” organizations experienced a decline in quarterly earnings in the wake of a data breach, the report found, while stock prices were often found to drop significantly. 

In one example, a company’s stock price dipped nearly 21% the day after a breach was disclosed. In this same incident, net income dropped 27% year-over-year in the quarter that the breach occurred.

These income-related losses are compounded by the fact that companies also encounter a domino effect of costs in the wake of a breach, ExtraHop said. 

RELATED RESOURCE

Whitepaper cover with black & white birds eye view of a cityscape

(Image credit: IBM)

Six myths of SIEM

Understand what to expect from an SIEM solution today, and how to tackle the top six myths.

DOWNLOAD FOR FREE

Losses incurred in the aforementioned example from ExtraHop were in addition to over $1 billion in reported costs, which included regulatory penalties, legal fees, and “multiple settlements with consumers, businesses, and individual states”.

“Net income for five of the organizations we studied sank an average of 73% within nine to 12 months of each organization announcing a breach. 

“In addition, in nearly all cases, quarterly earnings declined and stock prices dropped significantly after data breaches.”

The study noted that while “economic and other business factors” may also have contributed to sluggish financial performances, there is “no question” that the breaches impacted company performance.

Patrick Dennis, CEO at ExtraHop, said the research highlights the “ripple effect” that a security incident could have on company finances due to reputational damage and a loss of consumer or client trust. 

“When a data breach hits, real people lose real money - it goes way past the upfront costs that accompany stolen records and the number of people affected,” he said. 

“Both investors and customers lose faith in the business, which has a ripple effect on the organization for years to come. It’s important that corporate leaders take a hard look at their budget and make the cyber security investments they need to more effectively manage risk.”

High stakes for businesses

Data breach costs can become a significant burden for organizations in the wake of an incident. Research from IBM showed that UK businesses pay an average of £3.4 million in overall costs following an incident. 

Although the report emphasized the potential financial repercussions of a data breach, the 2023 figures published last month mark a decrease compared to 2022, which saw the average cost stand at £3.8 million. 

The report noted, however, that this is still a 9% increase on 2020 figures, underlining the rising costs associated with data breaches over the last three years. 

Stronger regulatory standards have been introduced in recent years to protect consumers and businesses in the wake of a data breach, most notably with the EU’s GDPR legislation

Last week the US Securities and Exchange Commission (SEC) also introduced far stricter reporting standards for public companies that encounter security incidents. 

New rules outlined by the commission will require companies to disclose a data breach or security incident within four days of the event unfolding. 

The new ‘Form 8-K’ rules will mean firms are required to provide information on the timing of the incident, as well as its scope and potential impact on customers or clients. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.

TOPICS