A lot of reasons:

1) Regulatory fines placed by laws (e.g. If you don’t secure X you will pay $Y amount)

2) Lawsuits and legal consultation. Legal teams have to figure out what happens in case there is a civil lawsuit that the company is now liable for.

3) Internal investigations. If something breaks, you’ve got to put together a team to figure out what actually happened. Was it a security breach? Was it a software/hardware/architecture problem? Was it an inside job?

4) Fixing the problem. You now need to pull teams off of their planned work to fix the problem.

As for how they slap a price on it, keep in mind that price is probably wrong just because accurately predicting the cost of future work is very difficult. So when you see that a databreach costs XXX millions that could just be the regulatoray/legal fines (typically priced as a certain amount of $$$ per item so if 1000 numbers were breached and each one carries a $5 fine then the total is $5000 in fines.) It could be that the company is reporting this based on an internal calculator (it will cost us 10,000 man hours to fix, our average IT manhour rate is $40/hr therefore $400,000 is the cost of this breach. It could also be a rough estimate based on the overall size and scope compared to historical data.