The costs depend on the incident but you can break it down this way:
1) Investigation costs – A good forensics firm is going to run ~$500 an hour. A moderate sized incident can easily exceed 500 man-hours in labor to properly investigate.

2) Remediation/Recovery costs – If you are unfortunate enough to face a destructive attack like a Ransomware incident you probably need to engage third parties to help remediate and recover from the incident. This can easily exceed 1000 man-hours in labor at the same $500 USD per hour rate.

3) Legal costs – Depending on your industry you probably need to engage outside counsel. This is going to easily be 100k.

4) Notification costs – If you are in a consumer focused space and need to notify a large number of people you can multiply the data subjects times the cost of first class mail (or equivalent in your country). A large print and mail entity will typically do this for around .70 cents per mailer so if you have 1,000,000 customers you are spending 700k just to notify them

We are at 1.5+ Million USD already and that doesn’t take into account the potential costs associated with providing credit monitoring if you choose to go that route. Breaches are expensive and they are never a risk you can drive to zero hence why a good security team is important.