Source: I’m a cybersecurity consultant who specializes on this very topic

The reasons are many:
– Loss of data and the sum of labor to create/maintain the data

– Ransom/extortion payments (often in the millions for big-game-hunting targets)
– Inability to operate physical sites (think ransomware or denial of service)
– Contract violations (think distribution, supply chain, etc.)
– Regulatory penalties (contractual councils and various governmental, YMMV from place to place and on what occurred)
– Costs of response – engaging with third-party security providers, outside counsel, etc.
– Reputational cost implying market share loss in the form of opportunity cost (hardest one to calculate up front, but loss of market share is a hard and lasting loss)
– Loss of certain credentials/certifications or in some cases limits or inability to accept payment from clients/customers (oof)
– Subsequent legal actions, settlements, court payment orders, and cost of legal defense

– Increased costs to operate – reactive security purchases, process changes, increased digital insurance premiums
– Many more!

The specifics to your question vary from industry to industry and the unique victim of the breach/attack. At the end of the day, a critical incident is a bad day for any organization.