I work in InfoSec for a highly regulated organization that was breached a couple of years ago. Here’s a high level overview of costs:

* Business costs – direct: Every minute of downtime is money down the drain. This is highly subjective to the type of business though. Even catching up from minor downtime will have costs associated with “catching up”. If you go down for a week or two, your business employees might be working overtime for a few months to get everything caught up.
* Business costs – indirect: You might lose business down the road if customers/partners are afraid of working with you – aka reputational costs. Your compliance people and other parts of the company will spend a lot of time over the next months and years talking to your clients and keeping them happy by assuring them that you’re safe to work with
* Audit costs: Your big4 audit firm that conducts the annual financial audit is now suspicious of the data in your systems and will likely do some deeper auditing (for a price) to confirm that all financial data is correct before they sign off on it
* Regulatory costs: You might be hit with hefty fines by a regulator(s). You will also waste a lot of internal hours working with them and keeping them happy.
* Ransom: If you choose to pay it, could easily be tens of millions of dollars for companies that aren’t even fortune 500 level
* Compensation / consumer legal costs: You might get sued by the impacted people. You might have to provide them all with credit monitoring services for a year or two (very common).
* IT response costs: Most big IT shops have disaster recovery (DR) processes that might involve failing over to a DR environment. Unless they maintain everything in house, you might pay a large fee to a partner to activate and stand up that DR environment. You might be paying a vendor involved with your backup processes to help provide the backup data/tapes needed to be restored. You have to lean on a crisis communication platform to help coordinate communication with employees, which is not free.
* InfoSec investigation and response costs: Most companies have partners like Crowdstrike or IBM X-force or Secureworks on retainer that they would call in like a bat signal. They may have multiple companies that, for example, help with data analysis to help determine the extent and source of the breach on top of what forensics firms do. They will often deploy software in your environment for forensic purposes and charge you for the license. These services and tools are not cheap.
* PR/Comms response: Most companies have PR partners that will help them manage crisis comms on retainer. They are not cheap.
* Legal response: Most companies have legal partners that specialize in this type of crisis and will help advise and even negotiate with the attacker. They also help with notifying impacted persons and relevant regulatory entities. They are not cheap.
* Insurance costs: You might have cyber liability insurance to help with some or all of these costs, but you will first pay a deductible and then your premiums going forward will definitely increase (similar to what happens with other types of insurance). Or even worse, you may have to BEG for cyber liability insurance going forward, which might force your team to spin up a dedicated team of subject matter experts for insurance readiness and assurance.
* InfoSec/IT projects to close the gaps (can take 2-3 years): Once you figure out how you were breached, there will be a long road ahead of fixing those problems and improving. If you get breached again, really bad things will happen that could mean the death of the company and/or the termination of most/all employees involved.
* Note that some of these costs might have happened anyway, but the company will be prioritizing them ahead of, for example, initiatives that might make more money for the company.
* That’s just off the top of my head. If I think of anything else, I’ll update.