Finally something I can answer, I work in insurance specifically on cyber R&D.

There are many factors that affect the cost of data breaches that all add up. First there are internal costs, forensic costs to identify what system was exploited, fixing the computer systems/software vulnerability that caused the perpetrator to penetrate the system and steal the data. This can also cause something called Business Interruption, where the company can’t do its daily business as computer systems get fixed. Then there are costs that are incurred to notify parties of their data being stolen. Most of these costs are partly covered by insurance though.
Then there are external costs depending on what kind of data got stolen, is it personal identifiable information (SS numbers, birth dates, e-mail addresses etc.) personal credit info (cc numbers, expiration dates, bank account numbers etc.) or personal health info (diseases, health history etc.). I listed the three main categories in order of increasing costs and penalties that can be imposed on the company being breached. On top of that companies have to defend themselves in court in case of lawsuits, so you have lawyer costs, they have to pay fines, etc. all this adds up to a lot in the long run.
One other cost that is added but is not per se tangible is reputation harm costs, as the company might lose customers due to the breach.