Despite the high cost of regulatory fines and litigation,  the largest contributor to ballooning data breach expenses may be the inability to get back to business as usual.

IBM's “Cost of a Data Breach Report” found that the top expense contributing to a data breach's cost is the lost business and related business disruption caused by the incident.

The report, which was commissioned by IBM and conducted by the Ponemon Institute, was based on a survey of 500 companies around the globe that experienced a data breach between July 2018 and April 2019.

While the locations of the breached companies varied, on average their largest expense was the loss of business, according to the survey.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, noted the lost business cost largely entailed the financial loss of losing a customer after a data breach, as well as the associated costs of marketing to rebuild client confidence and gain new customers. Loss of business also included reduced employee productivity because a breach blocked workers from accessing needed data or from assigning workers to assist in fixing a breach-related issue.

In total, lost business accounted for 36% of a data breach's cost, averaging $1.42 million per data breach. Meanwhile, the detection of a breach and escalation, which includes informing shareholders, company personnel and regulators, accounted for 31% of a data breach's cost, followed by 27% for post-breach demands, which includes identity protection and credit report monitoring.

The survey found that such expenses aren't only felt by the company during the first year of the data breach. Indeed, although 67% of breach costs arrive in the first year, 22% appear in the second year after a breach and 11% arise more than two years after a breach.

Among all surveyed companies, those in the U.S. experienced the highest breach-related costs. Since 2006, the average total cost of a data breach in the U.S. jumped 130% from $3.54 million to $8.19 million. Likewise, the U.S. also led in the amount of time and company resources used to address data breaches.

IBM Security executive security adviser Limor Kessem explained the U.S. total costs were highly influenced by the abundance of technical records of sensitive information, including health care, payment card, biometrics and Social Security data held by some companies. 

Meanwhile, some U.S. companies operate in highly regulated industries, meaning they have to deal with added compliance and legal costs compared to organizations in less-regulated countries.

Still, not all industries in the U.S. are regulated equally or have access to sensitive information. The survey found that the U.S. health care ($6.45 million), financial (5.86 million), and energy ($5.6 million) industries had the highest data breach costs compared to the public ($1.29 million), research ($1.65) and retail ($1.84 million) industries.

In addition to detailing the growing costs associated with a data breach, the report also offered some insight into how to combat those growing expenses. Specifically, it found that companies that deployed an incident response team reduced their total breach cost by $360,000, while “extensive” incident response tests knocked $320,000 from a data breach's total cost.

“Organizations that have a strong incident response team and includes the testing and protocols to reduce the risk are basically organizations that are better prepared,” Ponemon said.

Likewise, automation, taking a security-first approach when developing operational procedures and cloud migration were also listed as factors that decrease the cost of a data breach.