A number of reasons but to put it simply:

* There are fines, depending on the size of the company, size of the breach and the country. For example British Airways had a huge data breach in 2018 and was fined $26 million. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.

* Consultants/experts are needed to investigate, find out how the data was breached, and fix any IT issues they find/increase security. This could easily be millions for a large company.
* Civil lawsuits.
* Loss of business. Businesses are less likely to work with you due to fear of bad PR, data protection and loss of customers using your service.
* Bad PR leads to a decline in your stock value (this could easily wipe millions from a company’s stock)

Infosec Architect here, aside from lost business, civil cases and regulator penalties finding the root cause, searching for other potential problems, sanitizing everything etc can often take literally thousands of person days. Normally you don’t have that kinda staff on hand so you end up paying big bucks to a consultancy that has you over a barrel and knows it.

I work in hospital healthcare and recent government changes allow for a fine up to $15 million in the case of patient health information being stolen. Except for special circumstances, we are requiring cyber insurance be in all vendor contracts now. Most of our vendors are not happy with it.

1. Ransom money
2. Money to fix the breach
3. Lost business because customer doesn’t trust you anymore.
4. Loss of competitive advantage because your inventions were stolen.
5. Government fines.
6. Lawsuits from customers.
7. Higher insurance premiums.

Probably more but all I can think of on first pass!

A lot of reasons:

1) Regulatory fines placed by laws (e.g. If you don’t secure X you will pay $Y amount)

2) Lawsuits and legal consultation. Legal teams have to figure out what happens in case there is a civil lawsuit that the company is now liable for.

3) Internal investigations. If something breaks, you’ve got to put together a team to figure out what actually happened. Was it a security breach? Was it a software/hardware/architecture problem? Was it an inside job?

4) Fixing the problem. You now need to pull teams off of their planned work to fix the problem.

As for how they slap a price on it, keep in mind that price is probably wrong just because accurately predicting the cost of future work is very difficult. So when you see that a databreach costs XXX millions that could just be the regulatoray/legal fines (typically priced as a certain amount of $$$ per item so if 1000 numbers were breached and each one carries a $5 fine then the total is $5000 in fines.) It could be that the company is reporting this based on an internal calculator (it will cost us 10,000 man hours to fix, our average IT manhour rate is $40/hr therefore $400,000 is the cost of this breach. It could also be a rough estimate based on the overall size and scope compared to historical data.

Source: I’m a cybersecurity consultant who specializes on this very topic

The reasons are many:
– Loss of data and the sum of labor to create/maintain the data

– Ransom/extortion payments (often in the millions for big-game-hunting targets)
– Inability to operate physical sites (think ransomware or denial of service)
– Contract violations (think distribution, supply chain, etc.)
– Regulatory penalties (contractual councils and various governmental, YMMV from place to place and on what occurred)
– Costs of response – engaging with third-party security providers, outside counsel, etc.
– Reputational cost implying market share loss in the form of opportunity cost (hardest one to calculate up front, but loss of market share is a hard and lasting loss)
– Loss of certain credentials/certifications or in some cases limits or inability to accept payment from clients/customers (oof)
– Subsequent legal actions, settlements, court payment orders, and cost of legal defense

– Increased costs to operate – reactive security purchases, process changes, increased digital insurance premiums
– Many more!

The specifics to your question vary from industry to industry and the unique victim of the breach/attack. At the end of the day, a critical incident is a bad day for any organization.

Incident response firms, public relations, lawyers, disclosures, reprioritization of tech staff, identity monitoring, penalties.

Because the company is going to have to pay to notify everyone whose data was taken and likely pay for identity theft protection/insurance for all of them for at least a couple years.

And that’s not all just consumers, it’s also other vendors, business partners, contractors, grantees, etc.

I work in InfoSec for a highly regulated organization that was breached a couple of years ago. Here’s a high level overview of costs:

* Business costs – direct: Every minute of downtime is money down the drain. This is highly subjective to the type of business though. Even catching up from minor downtime will have costs associated with “catching up”. If you go down for a week or two, your business employees might be working overtime for a few months to get everything caught up.
* Business costs – indirect: You might lose business down the road if customers/partners are afraid of working with you – aka reputational costs. Your compliance people and other parts of the company will spend a lot of time over the next months and years talking to your clients and keeping them happy by assuring them that you’re safe to work with
* Audit costs: Your big4 audit firm that conducts the annual financial audit is now suspicious of the data in your systems and will likely do some deeper auditing (for a price) to confirm that all financial data is correct before they sign off on it
* Regulatory costs: You might be hit with hefty fines by a regulator(s). You will also waste a lot of internal hours working with them and keeping them happy.
* Ransom: If you choose to pay it, could easily be tens of millions of dollars for companies that aren’t even fortune 500 level
* Compensation / consumer legal costs: You might get sued by the impacted people. You might have to provide them all with credit monitoring services for a year or two (very common).
* IT response costs: Most big IT shops have disaster recovery (DR) processes that might involve failing over to a DR environment. Unless they maintain everything in house, you might pay a large fee to a partner to activate and stand up that DR environment. You might be paying a vendor involved with your backup processes to help provide the backup data/tapes needed to be restored. You have to lean on a crisis communication platform to help coordinate communication with employees, which is not free.
* InfoSec investigation and response costs: Most companies have partners like Crowdstrike or IBM X-force or Secureworks on retainer that they would call in like a bat signal. They may have multiple companies that, for example, help with data analysis to help determine the extent and source of the breach on top of what forensics firms do. They will often deploy software in your environment for forensic purposes and charge you for the license. These services and tools are not cheap.
* PR/Comms response: Most companies have PR partners that will help them manage crisis comms on retainer. They are not cheap.
* Legal response: Most companies have legal partners that specialize in this type of crisis and will help advise and even negotiate with the attacker. They also help with notifying impacted persons and relevant regulatory entities. They are not cheap.
* Insurance costs: You might have cyber liability insurance to help with some or all of these costs, but you will first pay a deductible and then your premiums going forward will definitely increase (similar to what happens with other types of insurance). Or even worse, you may have to BEG for cyber liability insurance going forward, which might force your team to spin up a dedicated team of subject matter experts for insurance readiness and assurance.
* InfoSec/IT projects to close the gaps (can take 2-3 years): Once you figure out how you were breached, there will be a long road ahead of fixing those problems and improving. If you get breached again, really bad things will happen that could mean the death of the company and/or the termination of most/all employees involved.
* Note that some of these costs might have happened anyway, but the company will be prioritizing them ahead of, for example, initiatives that might make more money for the company.
* That’s just off the top of my head. If I think of anything else, I’ll update.

U.K. data protection law allows for fines of up to 4% of annual global turnover or £17.5 million, whichever is the higher!