Data breach costs: Businesses lose 73% of their income in the year following an incident

Companies that suffer data breaches face a significant drop in income on top of the typical associated remediation costs, new research has suggested. 

A report from ExtraHop found that public companies experience an average net income drop of 73% within the first year of a data breach’s disclosure, highlighting the painful financial repercussions of security incidents. 

The company’s analysis focused on the overall costs associated with data breaches at six unnamed organizations, taking into account potential regulatory fines, legal settlements, and cyber insurance costs on top of any impact to earnings.

“Nearly all” organizations experienced a decline in quarterly earnings in the wake of a data breach, the report found, while stock prices were often found to drop significantly. 

In one example, a company’s stock price dipped nearly 21% the day after a breach was disclosed. In this same incident, net income dropped 27% year-over-year in the quarter that the breach occurred.

These income-related losses are compounded by the fact that companies also encounter a domino effect of costs in the wake of a breach, ExtraHop said. 

Losses incurred in the aforementioned example from ExtraHop were in addition to over $1 billion in reported costs, which included regulatory penalties, legal fees, and “multiple settlements with consumers, businesses, and individual states”.

“Net income for five of the organizations we studied sank an average of 73% within nine to 12 months of each organization announcing a breach. 

“In addition, in nearly all cases, quarterly earnings declined and stock prices dropped significantly after data breaches.”

The study noted that while “economic and other business factors” may also have contributed to sluggish financial performances, there is “no question” that the breaches impacted company performance.

Patrick Dennis, CEO at ExtraHop, said the research highlights the “ripple effect” that a security incident could have on company finances due to reputational damage and a loss of consumer or client trust. 

“When a data breach hits, real people lose real money - it goes way past the upfront costs that accompany stolen records and the number of people affected,” he said. 

“Both investors and customers lose faith in the business, which has a ripple effect on the organization for years to come. It’s important that corporate leaders take a hard look at their budget and make the cyber security investments they need to more effectively manage risk.”

High stakes for businesses

Data breach costs can become a significant burden for organizations in the wake of an incident. Research from IBM showed that UK businesses pay an average of £3.4 million in overall costs following an incident. 

Although the report emphasized the potential financial repercussions of a data breach, the 2023 figures published last month mark a decrease compared to 2022, which saw the average cost stand at £3.8 million. 

The report noted, however, that this is still a 9% increase on 2020 figures, underlining the rising costs associated with data breaches over the last three years. 

Stronger regulatory standards have been introduced in recent years to protect consumers and businesses in the wake of a data breach, most notably with the EU’s GDPR legislation. 

Last week the US Securities and Exchange Commission (SEC) also introduced far stricter reporting standards for public companies that encounter security incidents. 

New rules outlined by the commission will require companies to disclose a data breach or security incident within four days of the event unfolding. 

The new ‘Form 8-K’ rules will mean firms are required to provide information on the timing of the incident, as well as its scope and potential impact on customers or clients.