The size and nature of the breach will determine the costs. If it’s a ransomware attack, that means hackers have encrypted systems and possibly exfiltrated personal information/confidential business information. The hackers will demand a ransom payment in exchange for a decryption key. If the company can get back online from backups and doesn’t need a decryption key, then the hackers threaten to release the private data. Two pronged attack to increase their ability to get ransom money. The ransom payment, if paid, could be in the millions.

If personal information has been taken and/or accessed (either through a ransomware attack or a regular breach), then the company may have notification obligations to those individuals as well as regulators. The company will also have to offer credit monitoring (1 or 2 years depending on the jurisdiction), set up a call center to speak with impacted individuals who want more information.

There are costs for privacy attorneys to assist with the review of data and notification obligations, discussions with regulators, work with computer forensic firms, ransomware negotiators, data miners etc.

There are costs for computer forensics to come in, contain, mitigate, and remediate computer systems, servers, etc. If machines have been bricked, those need to be replaced.

There are costs for data miners if needed to drill down and determine what information has been accessed and/or taken and to identify the population of people that require notice.

Mailing notices costs money. (Think $2/pp where 1 million people need to get notice).

Sometimes the individuals who receive notice will file lawsuits against the company alleging various violations of state and federal privacy protection laws. If this is a class action, then its a large number of people and statutory penalties per person can add up into the millions. Sometimes regulators will open an investigation and will require additional information and/or documents. Sometimes regulators impose fines.

All of these elements present costs that can add up into millions.

Companies that get hacked may handle personal information for their customers (think hospitals or accounting firms). But even if they don’t, all companies house personal information for their own employees.

Think of the Starwood/Marriott breach or the Colonial Pipeline ransomware attack. Those are a couple of good examples of how costs get into the millions (100s of millions for Marriott).

Edit: companies are always responsible for the personal information given to them by customers. Many companies use third party providers or outside vendors (think cloud storage) and will share that data. If a third party provider or vendor gets hacked, it is still the company’s responsibility to handle/pay for the notice etc. (of course there are subrogation options, but that comes later).

Spelling/grammar

Edit 2: also, there are business interruption costs in ransomware situations because many companies can’t operate at full capacity. They can’t manufacture, they can’t deliver products or finish projects, they may be in breach of contract with their customers, they need to bring in temporary staff, they may need to manually do what is normally automated, they are losing money daily until systems are restored.